On 1/30/06, Brion Vibber brion@pobox.com wrote:
Tomasz Wegrzanowski wrote:
So, while dictionary-checking sysops' passwords make a lot of sense, there's very little point in limiting passwords of the non-privileged accounts.
At the moment we don't have a separate switch for sysops, nor any control which would prevent blank-password accounts from being made into sysops. I'd rather risk disabling a few accounts temporarily than keep the incredibly dangerous sysop accounts open (which could be used potenially to great destructive effect).
Take your list of users with blank passwords. Import into database. Join with the groups table to turn it into sysops.. use that as a subselect in an update query to blank the password hash field on those users. Done.
I'd just write the statement off the top of my head, but I'm not used to dealing with those field. :)