Management for Passwords reset and exposed to internet

[nigelbabu]

Sites get hacked. We need to deal with that eventuality. I'm looking to solve two things

a) Admin sets password for user (from commandline), emails to user, user does not change the password. Someone gets access to email, the password is right there and it works. Since CKAN portals would have high visibility, this is an attack vector we'd need to think about. I'd say that the user would need to reset the password at first login.

b) The CKAN database has been exposed and made public. We've protected our passwords now, but I think it'd be useful to have a way for admins to delete everyone's password (and reset key) at one go and force users to click Forget Password to get a new password.

Thoughts about the best way to go about this? I'm going to spend some time working on this. I'm looking for concrete opinions and ideas on how this should proceed.

[wardi]

Can we just not email passwords? Create accounts with invalid passwords so that new users arrive at essentially a differently skinned version of the password reset page before logging in.

[adamamyl]

a) Admin sets password for user (from commandline),

Whilst it may be useful to do this through the command line, we should be thinking web interface too (or even first).

Ordinary users/managers don't care for/have access to the command line.

This should probably factor in a multiple-selector and bulk action in managing users. #47 has some thoughts.

[adamamyl]

Do we also need to think about forcibly resetting all API keys (reminded of #90) ?