>From a data security perspective your statement about 'Any organization would have generic accounts' is dangerous, IMHO.
If under stricter data security regulations, you would first of all want traceability of who did what in the system, hence you want individual accounts. And initiatives like the Payment Card Industry Data Security Standards are addressing exactly those kind of issues and enforcing such policies. So beware when using 'group accounts' over individual logins. They may be easy to use for everyone but then beware that it's also to hack them (who would use a cryptic password on a group account .... ?) or be nasty with enforced password resets. I tend to use either email or even generic xAdmin01 or such which are abstracted. On production OFBiz systems, I do not use any of the demo accounts as well. Then BJ's point perfectly kicks in that user names are no longer guessable and thus your pain would go away. Just my 0.02 EUR. Greets Carsten Othrwise 2011/7/30 Mike <[email protected]> > There must be something more. Any organization would have generic > logins, like "sales", or it would be easy to guess employee logins > from the "about us" page. It makes sense that the password reset > should be intended ONLY for customers, not (any) system-type login. > > I would think that the password reset feature should be limited to > certain roles, like "Customer". > > On Sat, Jul 30, 2011 at 4:00 AM, BJ Freeman <[email protected]> wrote: > > for production systems do not use "admin" as a lognin. > > it is never created. > > > > Mike sent the following on 7/30/2011 12:10 AM: > >> Why is it that *any* user can, using the password reset or "Forgot > >> Your Password" can actually force "admin" to change the password? Is > >> there a way to turn this off? > >> > > > -- Best Carsten Schinzer Waisenhausstr. 53a 80637 München Germany
