All of the above.
Personally, I disagree with the setting existing to begin with, and
think that the initial passwords should be much more complicated than
just digits.
Thomas Berezansky
Merrimack Valley Library Consortium
Quoting Bob Wicksall <[email protected]>:
<Snip>
Because resetting someone's password to something that is basically
public information, their phone number, is asking for accounts to be
hijacked.
If that is the case you could argue that the setting shouldn't exist
in the first place. What is worse? A database full of users who
have never changed their password from the default phone number or a
few manually reset passwords?
Bob Wicksall
Systems Administrator
Pioneer Library System
2557 State Rt. 21
Canandaigua, New York 14424
----- Original Message -----
From: "Jason Stephenson" <[email protected]>
To: [email protected]
Sent: Friday, August 3, 2012 9:27:00 AM
Subject: Re: [OPEN-ILS-GENERAL] Password reset uses phone number
fails: EG2.2
Quoting Thomas Berezansky <[email protected]>:
> All future resets would still be random.
Because resetting someone's password to something that is basically
public information, their phone number, is asking for accounts to be
hijacked.
--
Jason Stephenson
Assistant Director for Technology Services
Merrimack Valley Library Consortium
Chief Bug Wrangler, Evergreen ILS
