Passwords for new users

I see that to add a new user to the system, the administrator must define a password, and then send it by some means to the user.

I think this offers a poor security level. Having the administrator know the passwords of all users, and send them in clear is not very good, besides being tedious for the admin.

Is someone thinking of having a better way to add users? Like, for example, the system automatically generating and sending an one-time password, that must be changed at first login.

Well, first keep in mind that users are able to change their passwords after login in the SSO, clicking on the little avatar thing in top-left then “Change password” (dunno if that part of the interface is obvious, it could probably help to be better documented)

I don’t know if there really are better alternative mechanism, except having a one-time password that needs to be changed after the first time you log in … But I would avoid sending it by email, otherwise you depend of having a proper email stack configured (meaning ports correctly forwarded and the full DNS things for email, and not being blacklisted for some reason).

For now personally I would just recommend you to implement the “one-time password” thing manually, by puting obviously not-strong passwords for your users and asking them to change it right away.

Well, I think that the problem is that users, although able to change their passwords, often don’t do it because lazyness. The best system I have seen to add users is that, when you add a new user, an invite link is created and sent by email. The link has a temporary random key, that only lasts for some hours. The link leads the new user to a screen that allows them to type their password. This way, the password never travels in clear anywhere, and no people but the real user knows it.

For the moment, i think that i’ll use the “manual” method, but with a random password, very difficult to remember, to somewhat “force” the users to change it.

Sure, but as said :

I believe most of users don’t have a reasonably good email setup for this to be realiable because not everybody is aware of the whole DNS configuration thing for email and YunoHost doesnt make it too explicit anyway, and even if they did, sometimes they can’t because of their ISP or because of the deviation from the “standard setup”.

Anyway there’s surely something better to implement compared to the current system, but that’s just one item among the thousand others items on the todolist. Nevertheless, that would be a good first contribution :wink:

Correct. Email configuration is actually very complex. Perhaps we could generate the invite link, and show to the admin so they can copy it and paste into a manual email.

I’m looking at the source code and it seems well organized and not too complicated. Not now, but if in the future i’m able to allocate some time for this, i’ll try to implement this solution. Thanks.

1 Like

Hi

i’m also wondering how to force new users for choosing complex password!
Users are choosing poor password and Yunohost allowing them.
is there any password policy for new users?

@yacin you can manually choose to change this settings:

security.password.user.strength

-1: disabled completely the check
0 : alert if listed in common password
1 : 8 letters minimum, alert if listed in common password
2 : 8 letters minimum, digit, lower and upper, alert if listed in common password
3: 8-letters minimum, digit, lower, upper, and other characters, alert if listed in common password
4: 12-letters minimum, digit, lower, upper, and other characters, alert if listed in common password

To do that:

yunohost settings set security.password.user.strength -v 2

You can change the password policy for admin too:

security.password.admin.strength

3 Likes

Note: when a user changes his/her password, YunoHost displays that message:

You are now about to define a new user password. The password should be at least 8 characters - though it is good practice to use longer password (i.e. a passphrase) and/or to use various kind of characters (uppercase, lowercase, digits and special characters).

Note: for technical reasons, this message doesn’t change if you change password policy. SO the user could be disappointing to get an error message saying to put a 12 letters password after validation…

1 Like

Is the currently a way to enforce a user to change his/her password after the next login?

No this feature doesn’t exist currently

I have to bootstrap 200 new accounts, how could I do that without just hoping that the users will change their initial passwords?

Is there a way to offer a registration form?

Personnaly, i setup for each account a password sooooo long that users change it…

In a simple way, no. It’s plan for future.

But, if you have some skills in html/javascript, you can create your own registration form, by using the yunohost HTTP API (see yourdomain.tld/yunohost/api/ ) The API is described in this file https://github.com/YunoHost/yunohost/blob/stretch-unstable/data/actionsmap/yunohost.yml#L76

2 Likes