Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Phone number as employee password is a security risk #396

Open
chsasank opened this issue Nov 21, 2024 · 7 comments
Open

Phone number as employee password is a security risk #396

chsasank opened this issue Nov 21, 2024 · 7 comments

Comments

@chsasank
Copy link

Phone number is being used as password for employee by default when created. This is a clear security risk because email + number is a very common knowledge. We should consider sending randomly generated password via email and asking it to be reset on first login. Happy to contribute this feature if guided.
@chsasank
Copy link
Author

We just need a random text generator here:

horilla/employee/models.py

Line 491 in 5e24821

password = self.phone
following by email sender

@horilla-opensource
Copy link
Owner

Hi @chsasank,

Thank you for your valuable feedback regarding the use of phone numbers as initial passwords for employees. We understand your concern about the potential security risks associated with this approach.

This mechanism was designed for ease during the initial setup, where admins create user accounts and share credentials with employees. Since not all users have email configured in the backend system, sending randomly generated passwords via email isn't always feasible. This approach aimed to reduce the workload for admins by avoiding the need to manually copy and share each password.

That said, we completely acknowledge the security risks involved. Based on your suggestion and our review, we will be removing this mechanism in the next version of Horilla. Instead:

  • Password reset links will be pre-generated for all new accounts.
  • Admins can easily share these links with employees, allowing them to set secure passwords on their own.

We appreciate the time and effort you’ve dedicated to testing Horilla and sharing your thoughts. Your input helps us continually improve and refine the system.

Thank you once again!

Best regards,
Team Horilla

@chsasank
Copy link
Author

Hey! I'm happy to make this pull request if you guys are open.

@chsasank
Copy link
Author

You can use django sesame to accomplish this: https://github.com/aaugustin/django-sesame

@horilla-opensource
Copy link
Owner

Hey! I'm happy to make this pull request if you guys are open.

Hi @chsasank ,

Please feel free to do so. We are open to all kinds of contributions to the codebase.

Thanks for suggestions and support to the system.

With Regards,
Team Horilla

@TalibY22
Copy link
Contributor

TalibY22 commented Dec 3, 2024

was thinking what if they implemented a force reset when the employee log in the first time?

@chsasank
Copy link
Author

chsasank commented Dec 6, 2024

Still a security risk. Because employees might not login immediately the first time and malicious actor could imitate on their behalf.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@chsasank @TalibY22 @horilla-opensource