#4444 closed enhancement (invalid)
Ask for current password when changing password
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Priority: | low | Milestone: | |
| Component: | Administration | Version: | 2.3 |
| Severity: | minor | Keywords: | |
| Cc: |
Description
Any thoughts on the idea of forcing users to enter their current password before being able to change their account's password? This would add a little security on the off-chance that someone gained access to a user's admin area (say if they stupidly ticked "remember me" on a public PC or something).
Change History (3)
comment:1
markjaquith — 6 years ago
comment:2
Viper007Bond — 6 years ago
- Resolution set to invalid
- Status changed from new to closed
Someone with such access could install a backdoor
Only if the user has their theme files writable.
create a new user
Oh, good point. Nevermind then.
Note: See
TracTickets for help on using
tickets.
I don't think this buys us any additional security. Someone with such access could install a backdoor, create a new user, or do any number of other things to engineer future access.