An error occurred while saving the commentGary Thompson commented
I just joined an organisation using this platform and was horrified that a password was generated for me, and then sent to the email address I used to register with and a link directly to login. As far as minimum levels of security goes this is a spectacular fail.
I then tried to change my password, and the UX around this is _horrible_; no indication of max/min length, no indication of chars allowed, and the failure message for a password which is too long is that the password is too short... This really does beg the question, how are passwords being stored, and why are char sets restricted. In my opinion, this is just horrific.
1) Never set a user's password - they should be allowed to set their own
2) Never restrict the length or allowable chars for a user password; there's simply no need
3) Never, ever, ever, EVER, send a password in plain text to the email address registered; bonus negative points for providing the login link in the same email.
The fact that this idea was proposed nearly 2 years ago and still hasn't been implemented is extremely worrying - this shouldn't be a 'nice to have' on a wishlist - this should be absolute minimum level of development with security in mind.Gary Thompson supported this idea ·