Last modified: 2010-05-15 15:38:05 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T6063, the corresponding Phabricator task for complete and up-to-date bug report information.
Bug 4063 - New user can login with empty password
New user can login with empty password
Status: RESOLVED INVALID
Product: MediaWiki
Classification: Unclassified
User login and signup (Other open bugs)
1.5.x
All All
: Normal normal with 1 vote (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2005-11-24 17:36 UTC by chris01
Modified: 2010-05-15 15:38 UTC (History)
0 users

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments

Description chris01 2005-11-24 17:36:54 UTC
If we send out an email to a new user with a random password (from Special:Userlogin) logged in as SysAdmin, then the user can log in with the 
password in the email, but _also_ with an empty password!

This is no longer possible, once the user has logged in and reset his password.

Setting $wgMinimalPasswordLength in LocalSettings.php to a value other than 0 seems to fix this problem.
Comment 1 Brion Vibber 2005-11-24 20:38:24 UTC
Set an initial password in the user creation form, or you're giving it an empty 
password!
Comment 2 chris01 2005-11-25 07:19:47 UTC
(In reply to comment #1)
> Set an initial password in the user creation form, or you're giving it an empty 
> password!

Thanks for the comment. That's what i found as a workaround as well. I still think it is counter intuitive that using the 
method described at http://meta.wikimedia.org/wiki/Access_Restrictions results in a user that has _two_ passwords. One 
random - sent out via email - and an empty password. Or am I missing something?

Comment 3 T. Gries 2005-11-25 07:24:39 UTC
(In reply to comment #2)
> .... I still think it is counter intuitive that using the 
> method described at http://meta.wikimedia.org/wiki/Access_Restrictions results
in a user that has _two_ passwords. One 
> random - sent out via email - and an empty password. Or am I missing something?

No; it results indeed in a user that has _two_ passwords. One random - sent out
via email - and the regular password (which might be empty in your case).
 
Comment 4 T. Gries 2005-11-25 07:27:48 UTC
See also http://bugzilla.wikimedia.org/show_bug.cgi?id=2242 , wherein I proposed
an expiry time for the temporary password

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links