Feature #199
Don't allow users password to contain the username
| Status: | Approved | Start date: | 2009-11-27 | |
|---|---|---|---|---|
| Priority: | Undecided | Due date: | ||
| Assignee: | - | % Done: | 0% |
|
| Category: | - | |||
| Target version: | - |
Description
To help protect users accounts when registering and altering password, it should be disallowed to have the username or email address in the password.
History
Updated by Alex Cartwright about 2 years ago
3 possible ways of doing this:
- Check if the username exists in the password, simply and easy. Trouble is, if short username like 3 letters, it is very possible to have those in the password - but not be a security concern.
- Check if username is over say, 5 chars long - if so, then check if username exists in password.
- Also check that their password is not their email address
Updated by Alex Cartwright about 1 year ago
- Status changed from 17 to Approved