Details
-
Improvement
-
Resolution: Unresolved
-
Medium
-
1.13.0, 2.0.0, 1.13.5, 2.5.8, 3.0.0-beta5
-
None
Description
In legacy you have to enter an admin password during the setup wizard. In eZ Platform there is no such wizard, and the composer scripts do not ask for this either. So if you don't remember to change the admin password, you end up with a very well known one.
Suggested alternatives:
- Add admin password creation to the scripts running during composer install, and/or to the backend UI login, if it detects that the admin password is not changed.
- Detect when the admin password is not changed, and display a big fat warning in admin until it's changed. Possibly also in composer commands.
- Publish a go-live checklist with important info like this.
- Use our password notification/expiry feature such that the admin password by default expires shortly after install, e.g. notification in 1 day, expiry in 1 week ?
1 and 2 can be combined, so that if you enter the currently default password during install, it will not be accepted or a warning is shown. However option 4 basically does this for us without having to add new features.