Details
Description
It would be good if you had the ability to enforce a password reset when a new user logs into the UI.
Below is a common workflow when setting up users' access to Couchbase Server:
- Create a new user, set their password to something random or generic (e.g. "correcthorsebatterystaple")
- Provide the user with their login, ask them politely to change their password when they login
- The user logs in with that password but then never has any motivation to change it (maybe don't even know where to do that)
- This process can then repeat for many other users with varying levels of access, allowing potential stealing of accounts through weak or 'shared' passwords
Instead if we had the ability to enforce password changes upon first login then Administrators can appropriately distribute accounts to users in a reasonable workflow while also having some level of assurance that they won't be using the password the account was created with.
I do not think having a password change is mandatory across all APIs as this would be a lot of work, but think it would be useful to have it in the UI at least (assigned to ns_server + UI as I guess there would be work required on ns_server side to facilitate).
Attachments
Issue Links
- relates to
-
MB-32543 Enhanced password policy for built-in users
- Open