We have moved to GitHub Issues
Created by Sebastiaan Janssen 29 Apr 2015, 10:02:28 Updated by Stephan 15 Mar 2017, 11:37:17Tags: Unscheduled
Currently we ship with useLegacyEncoding="true" for backwards compatibility reasons (make it easier for people to upgrade and merge their config files without having to remember not to touch this setting for an existing site).
We should also update the installer to generate a machine key that is stored in the web.config before the user is created. We could also perhaps have an 'advanced' option during the user creation to turn off machine key generation. Of course if there's already a machine key in there, it wouldn't do anything.
Have created a PR for this in case people want to review:
Postponing this until 7.4 because:
@sebastiaan are you still looking into this or do you want me to update it (i.e. pull it in and remove that machine key install step) ?
On it today! :)
I'm also added
allowManuallyChangingPassword="false" so that it's harder for a XSS attack to reset people's password (we still have the "reset password" checkbox on members and users to still give people the ability to change anybody's password (tested, works great, generates random password, beautiful, see screenshot)
Other than that I've read this with great interest: https://blog.codinghorror.com/password-rules-are-bullshit/ It seems reasonable to set the minimum password length to 10 characters, especially for those people who will be able to log into the backoffice. Any objections to making the default 10 chars?
Note that this only applies to brand new installs, upgrades do not (and can't) force these new settings.
happy with this, mergin
Backwards Compatible: False
Due in version: 7.6.0
Sprint: Sprint 54