Feature #199
Don't allow users password to contain the username
| Status: | Drafting | Start: | 2009-11-27 | |
|---|---|---|---|---|
| Priority: | Undecided | Due date: | ||
| Assigned to: | - | % Done: | 0% |
|
| Category: | - | |||
| Target version: | TangoCMS Project - 2.6.0 |
Description
To help protect users accounts when registering and altering password, it should be disallowed to have the username or email address in the password.
History
Updated by Alex Cartwright 3 months ago
3 possible ways of doing this:
- Check if the username exists in the password, simply and easy. Trouble is, if short username like 3 letters, it is very possible to have those in the password - but not be a security concern.
- Check if username is over say, 5 chars long - if so, then check if username exists in password.
- Also check that their password is not their email address
Updated by Alex Cartwright 3 months ago
- Target version set to 16
Updated by Alex Cartwright about 1 month ago
- Target version changed from 16 to 20
Updated by Alex Cartwright about 1 month ago
- Target version changed from 20 to 2.6.0