Comment 3 for bug 335631
Revision history for this message
| David Welsh (rdavidw) wrote Re: [Bug 335631] Re: teachers need a way to access student view of their students, see student logon and reset password | #3 |
Tom, we need to think this through from both security and user perspectives.
Q: What does an instructor do when a students cannot log on due to password
failure?
Is the answer now that neither they nor the student have any immediate way
to fix this problem, and they need to contact the SchoolTool manager and
wait for a password reset?
Can we do any better than this (i.e. use email to reset and resend a
password???).
I mean, think about it, the security model is not working that well now:
Currently, we're using generic passwords such as "schooltool", "teacher",
"student" and "admin". All you have to do to break into most any CanDo
instance is just find a user that has not changed from the generic password,
something not even Lee Capps has done with the Virginia instances.
So, in essence, our "won't fix" approach is hanging up the users to protect
a non-working security model. Not OUR best vector of attack, if you ask me.
--David Welsh
On Tue, Mar 17, 2009 at 9:55 PM, Tom Hoffman <email address hidden> wrote:
> I don't mind teachers being able to see the demographic and contact data
> of members of their sections, in fact they should be able to. However,
> allowing teachers to change the passwords of members of their sections
> opens up too many attack vectors. Perhaps some kind of power user group
> can be created or something to give some teachers elevated permissions
> to change passwords.
>
> --
> teachers need a way to access student view of their students, see student
> logon and reset password
> https:/
> You received this bug notification because you are a direct subscriber
> of the bug.
>