Last modified: 2010-05-15 15:38:05 UTC
If we send out an email to a new user with a random password (from Special:Userlogin) logged in as SysAdmin, then the user can log in with the password in the email, but _also_ with an empty password! This is no longer possible, once the user has logged in and reset his password. Setting $wgMinimalPasswordLength in LocalSettings.php to a value other than 0 seems to fix this problem.
Set an initial password in the user creation form, or you're giving it an empty password!
(In reply to comment #1) > Set an initial password in the user creation form, or you're giving it an empty > password! Thanks for the comment. That's what i found as a workaround as well. I still think it is counter intuitive that using the method described at http://meta.wikimedia.org/wiki/Access_Restrictions results in a user that has _two_ passwords. One random - sent out via email - and an empty password. Or am I missing something?
(In reply to comment #2) > .... I still think it is counter intuitive that using the > method described at http://meta.wikimedia.org/wiki/Access_Restrictions results in a user that has _two_ passwords. One > random - sent out via email - and an empty password. Or am I missing something? No; it results indeed in a user that has _two_ passwords. One random - sent out via email - and the regular password (which might be empty in your case).
See also http://bugzilla.wikimedia.org/show_bug.cgi?id=2242 , wherein I proposed an expiry time for the temporary password