[Koha-bugs] [Bug 8753] Add forgot password link to OPAC
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Wed Nov 5 23:23:49 CET 2014
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=8753
--- Comment #67 from David Cook <dcook at prosentient.com.au> ---
(In reply to M. de Rooy from comment #66)
> (In reply to Liz Rea from comment #63)
> > Comment 57, 2nd paragraph - when someone doing QA suggests mailing a
> > cleartext password might be ok, it seems right to emphatically tell them
> > "no, that's a bad idea."
>
> Please keep it in context. Hope I do not intercept any undertone about QA
> work here?
>
> For completeness: I completely agree that sending password by mail is
> theoretically very bad. However, we probably do not have a 100% safe
> solution for this. So therefore in a pragmatic view the sensitivity argument
> etc.
> And to add: As long as many OPACs are going over HTTP, we send the password
> clear text all over the place..
>
> But again, also comment 57 This approach is fine with me!
When it comes to security/safety, there is never a 100% guarantee. However,
there are better and worse ways of doing things. It sounds like the approach
used in these patches is a reasonable one. As Eric mentioned, it's the
"standard" way of doing it.
As for sending passwords in the clear when using HTTP, that's not an issue with
Koha's code. That's an end-user configuration issue. If people are using HTTP
instead of HTTPS, that's their responsibility.
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list