Project

General

Profile

Actions

Todo #15266

closed

Prevent usage of the default password in User Manager accounts

Added by Jim Pingle 9 months ago. Updated 8 months ago.

Status:
Resolved
Priority:
High
Assignee:
Category:
Authentication
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Release Notes:
Default

Description

Currently we detect in the GUI when the admin account is using the default password ("pfsense") and print a warning message: source:src/usr/local/www/head.inc#L564

We should change that to check any account (not just admin) and force a password change during one or more of the user's initial interactions, for example:

  • During the setup wizard
  • GUI login any time the password matches the default password
  • Shell (console or SSH) login any time the password matches the default password
  • Possibly during the installation process

We should also not allow the user to change their password to any variation of "pfsense" in upper/lower/mixed case.


Files

Actions

Also available in: Atom PDF