You're right, leaving the reset to the customers would've been better. Unfortunately, we've already committed to having those passwords on hand because some of our customer accounts have invalid emails (they don't want to provide an email address to be 100% sure they don't get any notifications) and some accounts share the same email address (support email address from customer's company).
On Mon, Mar 4, 2013 at 4:02 PM, Gerald Young <[email protected]> wrote: > "I need to reset passwords to values that are later communicated to > customers" > I don't see how this is good security, especially since the passwords > aren't forced to reset and you've now generated a list of passwords for all > your users in plain text after a potential security breach. > > I realize you have to do what you have to do, but having the users reset > their own password is (IMO) a safer tactic. > > --------------------------------------------------------------------- > OTRS mailing list: otrs - Webpage: http://otrs.org/ > Archive: http://lists.otrs.org/pipermail/otrs > To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs >
--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
