Brion Vibber wrote:
Tomasz Wegrzanowski wrote:
Could you elaborate on the
"temporarily" part ?
Until I finish the force-user-to-change-password-on-next-login code. (Probably
tomorrow.)
-- brion vibber (brion @
pobox.com)
I agree, that's probably the right thing to do for non-sysop accounts.
(Although we should perhaps zap any that are not re-activated within
say, three months from now?)
Please keep the _sysop_ accounts with empty/trivial passwords blocked
indefinitely -- now people know they exist, they can easily be searched
for by any potential cracker, with potentially disastrous effects.
Perhaps some of these trivial-password sysop accounts could be
re-activated manually on request, if they have an E-mail address that
can be manually or automatically verified by an E-mail exchange with the
purported owner? Otherwise, it's going to be quite difficult ever to
verify ownership for these accounts, and they should probably remain
locked indefinitely.
-- Neil