Neil Harris wrote:
By mistake, I seem to have logged in as another user. I was typing my username, when my finger slipped and I logged in before I had either finished typing my complete username, or any password whatsoever.
It seems that the user I accidently logged in as has an empty password.
- is this really possible, or have I made a mistake?
Yes.
- if this really is so, this is a moderate-sized security hole, because
this has the same dangers as accounts with publicly accessible passwords, which are generally held to be a case for block-on-sight.
Don't do that if your account is important to you.
It would probably make sense to check for zero-length passwords at account creation time,
On your own site, set the minimum password length. See DefaultSettings.php for all available configuration settings.
-- brion vibber (brion @ pobox.com)