-
-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow changing password for default [email protected] user before first start #4513
Comments
Thanks for the request @e-g1gor. Somewhat related to #3946 and #3947. I may start to think about intended route on for the current maintenance release cycle. From my view I'm not too worried about the "bruteforce" scenario here (although no need to bruteforce where it's using a single default option), I think that's rare and can be mitigated via following our guidance, networking and other controls if that really is a concern, my main concern is just with folks not changing the default credentials. |
Describe the feature you'd like
Initial password for default admin should be configurable somehow, maybe via .env file, like
DEFAULT_ADMIN_PASSWORD=xxx
Describe the benefits this would bring to existing BookStack users
There is default migration, that creates admin user with easily brutable credentials.
It allows to easily bruteforce admin access to newly deployed services - for as long as someone do not change password manually.
If this service is being deployed to domain that attracted attention of hackers - they may perform atack immediately, before default password will be changed.
Can the goal of this request already be achieved via other means?
By tweaking original migration -
BookStack/database/migrations/2014_10_12_000000_create_users_table.php
Line 28 in ad60517
Have you searched for an existing open/closed issue?
How long have you been using BookStack?
Not using yet, just scoping
Additional context
No response
The text was updated successfully, but these errors were encountered: