You're right, leaving the reset to the customers would've been better.
Unfortunately, we've already committed to having those passwords on hand
because some of our customer accounts have invalid emails (they don't want
to provide an email address to be 100% sure they don't get any
notifications) and some accounts share the same email address (support
email address from customer's company).
On Mon, Mar 4, 2013 at 4:02 PM, Gerald Young
"I need to reset passwords to values that are later communicated to customers" I don't see how this is good security, especially since the passwords aren't forced to reset and you've now generated a list of passwords for all your users in plain text after a potential security breach.
I realize you have to do what you have to do, but having the users reset their own password is (IMO) a safer tactic.
--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs