Blank password via profile allowed for external access v3.2.60.0

[zoqask 5]

Foreword:

 

As a whole Emby is fantastic. The look and feel are great. Credit goes to the developers and the hard work. Both from them and the public offering feedback .Many thanks for a great product. It is blisteringly fast and offers features far superior to it's competitors. Naturally with a project of this size users will have various niggles or issues.

 

-----

 

One of my issues. Security namely external user passwords.

 

I have looked through the forums and seen various posts relating to passwords / blank etc. Setting pin to blank etc.

 

I am currently running

 

Version 3.2.60.0

Windows Server 2012 R2

Dell R710

32GB of RAM

Custom remote port number

 

The problem I can see and have not found a solution for is remote users are allowed to access the profile panel. Enter their current password and save a blank one as a new password. I may need to enable or tweak a file to stop this. Having read over the forum though a solution is not immediately apparent. I really do not wish to obscure the profile panel with css mods. This defeats the object of all the hard work by developers.

 

Could someone please offer advise or experience with thanks.

 

Regards

 

Zoq

 

[Luke 42080]

Hi, why not just add a password?

[zoqask 5]

I have no control over the user leaving / changing to a blank field. I therefore will not know if a password is required.

 

By default I will create a new user with a password. But as previously mentioned should the user with to access the profile section and change it to blank then I'm not aware of this.

 

The only current option to add a level of security is to disallow the easy login (User/Profile/Hide this user from login screen) and create a more complex username.

Edited January 7, 2018 by zoqask

[horstepipe 422]

That's reason #1 for me why my users only use Kodi. I can't give them their passwords as things like this sooner or later will happen.

[zoqask 5]

I really wish for a definitive answer from the developers as to why blank passwords are allowed from external access.

 

Local fine; but remote surely should be enforced to utilise a password. The user should not have the ability to allow his/her account to be compromised. I myself will create a more complex username. Others may not choose this option. The the generic name applies and it is only a matter of time before an admin has spurious outbound bandwidth.

 

I am all for sticking with and fixing problems. I do not however wish to enforce obscurity to add an element of security.

Edited January 7, 2018 by zoqask

[Luke 42080]

There are many opportunities to improve here, such as settings for password requirements, settings to allow or not allow users to change their password, etc.

[horstepipe 422]

 settings to allow or not allow users to change their password, etc.

 

...which we already had in earlier server versions. Please bring it back

[zoqask 5]

I am always one for building from the ground up built on core concepts. Namely creation of the login system in a secure manner. Once you have that the rest is gravy. You have the gravy but the user system requires some minor modifications. It will then gravitate the system up with the other main systems.

 

I'm currently in the testing stage and have a premium key. But if it does not conform to basic security rules it will be a challenge to continue. From reading the forum large corporations / unis use this system. If they are reading this then consider counter measures to add security to the page. There are numerous ways to achieve this but not within the scope of emby. Maybe that could be the continued discussion. I have several ideas but wish to hear from others.

 

Sent from my Pixel XL using Tapatalk