Dave Sherohman schrieb: > > I can't say that I find the latter point particularly relevant, as many > users are in the habit of re-using passwords across multiple sites. > > If I, as an RT admin, have access to my RT users' passwords, then that > may not present any risk to the security of my RT installation (as > admin, I have full access anyhow), but it does potentially place those > users' email accounts, bank accounts, etc. at risk if they use the same > passwords on those sites as they do on my RT install. > If such people want to find out users passwords in order to try them out elsewhere, they could just remove the cloaking of passwords from the RT source, or sniff the http packets (or set up a man-in-the-middle-attack if RT is using HTTPS), or design their own login page that writes down the passwords before passing them to RT, or...
In many organizations, it is policy that admins do not know and cannot recover their users passwords, including ours. That's OK for secure applications and authentication frameworks like Windows domain logons or Kerberos. But there's no way to secure a plain http login against your own admins. You will have to use some other form of authentication for RT if you want this. Bye, Andreas _______________________________________________ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com