3
votes

I have a web application that handles employees work sheets.

They have username/password combinations assigned to them from an admin.

The passwords are salted and hashed individually.

The problem is, they are all being assigned the same password by the admin. This is obviously a security problem.

I don't want to error with the password you are trying to use is already in use because...

  • It reveals someone else has that password. Bad security.
  • I can't easily compare passwords. I need to salt and hash them individually because of the way they are stored in the database.

Do I have any options to try and limit this behaviour?

3
Fire the stupid admin; problem solved.Wooble

3 Answers

8
votes

The software should force users to change their passwords after logging in for the first time. Have the software check to make sure the user actually enters a new password, rather than repeating the old one.

6
votes

This isn't a technical problem; it's an organisational/management issue...

The admin simply needs to stop assigning the same password to everyone.

2
votes

Why is everybody being assigned the same password? Give them a temporary password of a random string or allow them to pick a password of their choosing when registering.