Passport-local: Support "empty string" password?

Also would an option to allow empty password.

:+1: It should be left to the application to handle any kind of passwords a user might pass, be it a 100-character string or just a "" (empty string), don't you think?

For security reasons, an empty password is considered a missing credential. This is by design, and considered a security feature.

@jaredhanson would you allow for a pull request where allowEmptyPassword is set through an option? This option is (ofcourse) set to false by default.

What would be the point of this option? If the password is empty, no authentication is possible. Why would an application allow that?

Sent from my iPhone

On Oct 26, 2017, at 4:07 AM, Casper Lamboo notifications@github.com wrote:

@jaredhanson would you allow for a pull request where allowEmptyPassword is set through an option. This option is (ofcourse) set to false by default.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.

This would allow for logging in with an empty string as password. I some cases this is very useful. I understand this is a security risk, but in my case this I find the benefits to be outweighing the risk so I want to be able to make the conscious decision to provide empty strings as passwords. Cleary this is a feature that is desired by at least 4 people.

The use case I'm referring to is an admin panel where user accounts can be created. These user accounts will have an empty string as password when created. When logging in for the first time users can just provide their email as login credentials. After logging in the users will be prompted to provide a secure password which must be verified via email.

This is not authentication, so no, I will not accept a PR with this functionality.

You are free to fork this module, and implement and maintain the functionality if you need it.

Sent from my iPhone

On Oct 26, 2017, at 5:19 AM, Casper Lamboo notifications@github.com wrote:

This would allow for logging in with an empty string as password. I some cases this is very useful. I understand this is a security risk, but in my case this I find the benefits to be outweighing the risk so I want to be able to make the conscious decision to provide empty strings as passwords. Cleary this is a feature that is desired by at least 4 people.

The use case I'm referring to is an admin panel where user accounts can be created. These user accounts won't have a password. When logging in for the first time users can just provide their email. After logging in the users will be prompted to provide a secure password which must be verified via email.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.