Author: schaffner
Description:
If we send out an email to a new user with a random password (from Special:Userlogin) logged in as SysAdmin, then the user can log in with the
password in the email, but _also_ with an empty password!
This is no longer possible, once the user has logged in and reset his password.
Setting $wgMinimalPasswordLength in LocalSettings.php to a value other than 0 seems to fix this problem.
Version: 1.5.x
Severity: normal
Set an initial password in the user creation form, or you're giving it an empty
password!
schaffner wrote:
(In reply to comment #1)
Set an initial password in the user creation form, or you're giving it an empty
password!
Thanks for the comment. That's what i found as a workaround as well. I still think it is counter intuitive that using the
method described at http://meta.wikimedia.org/wiki/Access_Restrictions results in a user that has _two_ passwords. One
random - sent out via email - and an empty password. Or am I missing something?
(In reply to comment #2)
.... I still think it is counter intuitive that using the
method described at http://meta.wikimedia.org/wiki/Access_Restrictions results
in a user that has _two_ passwords. One
random - sent out via email - and an empty password. Or am I missing something?
No; it results indeed in a user that has _two_ passwords. One random - sent out
via email - and the regular password (which might be empty in your case).
See also http://bugzilla.wikimedia.org/show_bug.cgi?id=2242 , wherein I proposed
an expiry time for the temporary password