Hi,
Suggest when creating additional admins that an email is sent to the new admin to complete the task and:
1. Verify the email address is correct and is owned.
This would prevent a rouge admin/site registering email addresses of others with just the intent of tying up email addresses. If there was no "activation" within x hours/days it would expire and free up the email address to the system. May also consider a limit on the number of accounts per site to say 100? Maybe there is?
2. Give the new admin a URL in the email they could click on to change the password. Maybe just redirect them to the password reset wizard. Without this the admin has to send the credentials to the new admin over a secure channel they may not have.
This would also take away the additional step of the admin telling the new admin the account was ready.
3. Wouldn't need to set a password at creation of the new account as the account would be is a disabled state (until request expired) until they activate the account by setting a new password by following the link.
Regards,
Jak
Guest User!
You are not Sophos Staff.
