crusher11 1101 Posted April 17, 2020 Posted April 17, 2020 Regular, non-admin users have access to a 'remove password' button on the "change password" page, as well as the "Local Network Access" settings allowing them not to require a password for local access. I assume this is an oversight? It's a serious security issue.
Happy2Play 9780 Posted April 17, 2020 Posted April 17, 2020 (edited) Isn't that the point of user setting "Allow this user to change their password and profile image" setting? Edited April 17, 2020 by Happy2Play
crusher11 1101 Posted April 17, 2020 Author Posted April 17, 2020 Allowing them to change it and allowing them to remove it are entirely different. For starters, you don't even need to know your current password to remove it.
Happy2Play 9780 Posted April 17, 2020 Posted April 17, 2020 Everyone has their own needs but I can see it argued either way.
crusher11 1101 Posted April 17, 2020 Author Posted April 17, 2020 What's the argument for allowing users to remove their password? Especially without requiring the current password in order to do so. It's a huge security flaw.
CBers 7450 Posted April 17, 2020 Posted April 17, 2020 I have to agree with @@crusher11 on this one. A non-admin user shouldn't be able to remove their own password. A non-admin user should also have to supply the old password to enable a password change as well. 2
Happy2Play 9780 Posted April 17, 2020 Posted April 17, 2020 At the same time Emby has never required anyone to know current password to apply a new password.
C.S. 93 Posted April 17, 2020 Posted April 17, 2020 If there are no requirements for complexity, just allowing the change is the real security hole. Allowing removal is just incrementally worse.
Luke 42078 Posted April 17, 2020 Posted April 17, 2020 Yes it's something we can look at improving. Thanks for the feedback.
horstepipe 422 Posted April 17, 2020 Posted April 17, 2020 (edited) Yes it's something we can look at improving. Thanks for the feedback. Come on, can’t you just say „sorry, we’re going to fix that ASAP”? This can’t have been implemented intentionally by any means. Edited April 17, 2020 by horstepipe
moviefan 187 Posted April 17, 2020 Posted April 17, 2020 If there are no requirements for complexity, just allowing the change is the real security hole. Allowing removal is just incrementally worse. Please DO NOT require complexity. You can make it an optional setting if you like, but stupid complexity requirements are worthless and oftentimes reduce security. https://www.schneier.com/blog/archives/2017/10/changes_in_pass.html
C.S. 93 Posted April 17, 2020 Posted April 17, 2020 Complexity aside, the default for new users should be to not allow the change. Admins can then decide later if they want to take the risk.
pir8radio 1312 Posted April 17, 2020 Posted April 17, 2020 Complexity aside, the default for new users should be to not allow the change. Admins can then decide later if they want to take the risk. Yea thats what I was thinking... just dont let them change their pw, and problem solved... But on the flip side, assuming regular users, whats the security risk? that someone will break into your server and binge watch? ahh, Just kidding being facetious... I get it, just saying you should always plan for the worst anyway... sharing of passwords, weak passwords, all of that fun stuff can be avoided if you set their password and dont let them change it. But then also plan for someone getting into that users account. what could they do that would be annoying or damaging? do they need that feature? then there is logging... why is joe online right now? he should be working... 1
pwhodges 2012 Posted April 17, 2020 Posted April 17, 2020 Please DO NOT require complexity. You can make it an optional setting if you like, but stupid complexity requirements are worthless and oftentimes reduce security. https://www.schneier.com/blog/archives/2017/10/changes_in_pass.html That, a hundred times that. When I was setting up new systems fifteen years ago, almost my only rule was a minimum of 14 characters, but you can make them easy for you to remember. I'd probably up that a bit now. In the time before password managers appeared, studies and analysis showed that above that length security reduced as people were forced to write the passwords down and stick them to their monitors! Paul
ray-finkle 10 Posted April 17, 2020 Posted April 17, 2020 Yes, password length is the most important factor. I think it should be a definable parameter that an admin can set.
arche 177 Posted April 17, 2020 Posted April 17, 2020 Just my opinion, aside from fixing bugs, the user management needs to be overhauled. I know it's easier said then done, bills need to be paid (hence some new features), but some of these new features seem useless to most which just cause more bugs. The more useless features, the more bugs. People have been having issues with passwords for years, even during people having there servers taken over (mostly admin error with passwords), but there has been feature requests for fixes or improvements. Examples: https://emby.media/community/index.php?/topic/70978-change-password-option-in-admin-panel/?hl=passwords https://emby.media/community/index.php?/topic/82469-new-user-password/?hl=%2Bblank+%2Bpassword https://emby.media/community/index.php?/topic/54631-blank-password-via-profile-allowed-for-external-access-v32600/?hl=%2Bblank+%2Bpassword I don't expect everything for free and I know you guys can't take donations cause of the credit card rules, but start a kickstarter or something that some of us would be more than willing to contribute too so that someone can set aside time to revamp certain areas. If nobody contributes, then nobody should complain. Then it gets done when it gets done. Just my private opinion/bitch session... 1
C.S. 93 Posted April 17, 2020 Posted April 17, 2020 (edited) When I was setting up new systems fifteen years ago, almost my only rule was a minimum of 14 characters, but you can make them easy for you to remember. I'd probably up that a bit now. I guess complexity was the wrong word, because this is actually what I meant.^^ For sure good passwords are long and easy to remember. But on the flip side, assuming regular users, whats the security risk? that someone will break into your server and binge watch? ahh, Just kidding being facetious... I get it, just saying you should always plan for the worst anyway... sharing of passwords, weak passwords, all of that fun stuff can be avoided if you set their password and dont let them change it. But then also plan for someone getting into that users account. what could they do that would be annoying or damaging? do they need that feature? then there is logging... why is joe online right now? he should be working... I suppose they could just change the password to be dicks. But the truth is I don't really know what's the worst that could happen. I don't think about it much because I have strong passwords that can't be changed. Also I don't let my users do anything but hit play, basically. No remote control, no downloading, no social media sharing(??) - that last one is a little scary. I don't know how it works but I assume the user can make a post with their own text attached? To twitter and whatnot? Posing as someone else on social media -- that seems like a way people hurt each other sometimes. By all means the ability to run your own server wide open should always be there. God bless the crazy bastards that do it. But yeah let's also try to help out those less experienced who would likely benefit from a little security. Edit: Just looked at the social media option - it says Only web pages containing media information are shared. So that's good. Edited April 17, 2020 by C.S.
crusher11 1101 Posted April 17, 2020 Author Posted April 17, 2020 Complexity aside, the default for new users should be to not allow the change. Admins can then decide later if they want to take the risk.I usually set up remote accounts with a dummy password and get the user to set a good one on first login. The reason this came up is one of my users accidentally hit "remove password" instead of "save password" when doing this several months ago and neither of us noticed until yesterday.
Happy2Play 9780 Posted April 17, 2020 Posted April 17, 2020 It has come up in the past, but it has been this way since before 3.5.
pir8radio 1312 Posted April 18, 2020 Posted April 18, 2020 I usually set up remote accounts with a dummy password and get the user to set a good one on first login. The reason this came up is one of my users accidentally hit "remove password" instead of "save password" when doing this several months ago and neither of us noticed until yesterday. send a screenshot, I must be missing (or not looking in the right place) this "remove password" button...
darkassassin07 652 Posted April 18, 2020 Posted April 18, 2020 In my testing using chrome mobile, chrome desktop, and emby for android: the only place there is a 'remove password' button is when editing a user from within the server dashboard/settings (ie only accessible to admins), and is only there when 'allow this user to manage the server' is not enabled for that user. (admin passwords cannot be reset/removed without the old pass unless you make that user non-admin first) When changing a users password from their own settings, the old password is required to change to a new one, but the password can be removed altogether by filling in 'current password' and leaving both of the 'new password' fields blank. This has to be done pretty intentionally. Server 4.4.2.0
Spaceboy 2573 Posted April 18, 2020 Posted April 18, 2020 (edited) In my testing using chrome mobile, chrome desktop, and emby for android: the only place there is a 'remove password' button is when editing a user from within the server dashboard/settings (ie only accessible to admins), and is only there when 'allow this user to manage the server' is not enabled for that user. (admin passwords cannot be reset/removed without the old pass unless you make that user non-admin first) When changing a users password from their own settings, the old password is required to change to a new one, but the password can be removed altogether by filling in 'current password' and leaving both of the 'new password' fields blank. This has to be done pretty intentionally. Server 4.4.2.0 you’re not looking hard enough It’s in the web app too Edited April 18, 2020 by Spaceboy 1
darkassassin07 652 Posted April 18, 2020 Posted April 18, 2020 (edited) <images removed> Edited August 31, 2020 by darkassassin07
Happy2Play 9780 Posted April 19, 2020 Posted April 19, 2020 send a screenshot, I must be missing (or not looking in the right place) this "remove password" button... Assuming you have the option "Allow this user to change their password and profile image" enabled on the user, go to user icon-password. Does not apply to Admin users.
Spaceboy 2573 Posted April 19, 2020 Posted April 19, 2020 @@darkassassin07 could you make your pics a bit larger please. 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now