Stories
Slash Boxes
Comments
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

use Perl Log In

Log In

[ Create a new account ]

Beatnik (493)

Beatnik
  (email not shown publicly)
http://www.ldl48.org/

A 29 year old belgian who likes Mountain Dew, Girl Scout Cookies, Tim Hortons French Vanilla Flavoured Cappucinno, Belgian beer, Belgian chocolate, Belgian women, Magners Cider, chocolate chipped cookies and Perl. Likes snowboarding, snorkling, sailing and silence. Bach can really cheer him up! He still misses his dog.

Project Daddy of Spine [sf.net], a mod_perl based CMS.

In his superhero time (8.30 AM to 5.30 PM), he works on world peace.

Journal of Beatnik (493)

Tuesday January 31, 2006
04:26 PM

Default Password

[ #28531 ]
Dear Slashdot *cough*

What would be an effective mechanism to make sure the user changes the default password, without adapting your entire codebase around this single feature?

Suppose your webmail app has something like 123456 set as a default password. The app is pretty visible so potential crackers could easily just google for it. Although it's part of the user experience, it's plain silly to focus a large portion of your code on something you assume the user will/should do, which could save in about 5% code overhead in the end. A hint would be to not fill in the password in by default or indicate in any way that the user still is using the default password. Maybe a simple dialog reminder or just an italic section in the installation documention?
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.
  • Amending the documentation is useless; it’s not even enough for plausible deniability on your part. You will need to write some code.

    The simplest way to do deal with this is to put an “activated” flag on accounts. Do not allow logging into accounts with this flag set. If a user tries to and gives the right password, return a screen than lets them change the password, and when they do so, set the activation flag.

    This avoids leaking complexity into other parts of the code; they can just