Undesired change in behavior of Help Desk random password generation after upgrade to 2.0.8 #720
Description
A clear and concise description of what the problem is
We have long been using the setting Modules => Authenticated => Help Desk => Profiles => default => Options => Set Password UI Mode set to Set the password to a random value unknown to the helpdesk operator.
It is considered a very secure approach to password reset, as Help Desk staff do not know the password that is set for a user.
After updating our PWM instance from v2.0.6 to v2.0.8, we now have problems with the random password generator when using HelpDesk procedures to reset a password to a random value and send it to a user via SMS.
Previously, in v2.0.6, the randomly generated password was a consistent length. If I recall correctly, it was equal to the Policies => Password Policies => default => Minimum Length value. Now, during a password reset, the randomly generated password length varies from the minimum allowed value to the maximum allowed value, which is excessively random if the minimum is 9 and the maximum is 64.
We tried to set Maximum Length to 0 in an attempt to switch back to the v2.0.6 behavior, but were unsuccessful.
If we set Maximum Length to 10, for example, the random generator follows this and stops generating passwords that are too long for users to receive via SMS. However, this leads to an inability to set a password longer than 10 characters manually.
As a workaround for now, we changed Modules => Authenticated => Help Desk => Profiles => default => Options => Set Password UI Mode to Auto generate a list of random passwords and allow typing of new password. This is acceptable but slightly less secure, as the Help Desk now knows the password that was set for the user.
I believe that this new behavior is a consequence of issue (#701).
Solution we'd like
A separate setting to control the minimum and maximum password length when a password is randomly generated.
It could be placed under:
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ default ⇨ Details
or (slightly less advised)
Policies ⇨ Password Policies ⇨ default
Settings could be named as:
Password Minimum Length when Randomly generated
Password Maximum Length when Randomly generated
It should be taken into consideration that Password Minimum Length when Randomly generated must not be less than Policies => Password Policies => default => Minimum Length if Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ default ⇨ Details ⇨ Enforce User Password Policy is enabled.
Maybe there are some other things to consider which I'm not aware of.
Alternative soulution
A separate setting to make random password generator using Minimum Length as fixed target password length.
It could be Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ default ⇨ Details ⇨ Use Minimum Length for password generation.