Dakar (as well as Cairo) allows users to ChangePassword
to an empty string. From a security point of view it is not desirable to let users erase their password.
No; many sites want null passwords. I have seen this on several client sites. I previously made the change you suggest and then had to revert it.
Of course you could add yet another option; but I think the current behaviour is OK.
I would like this to be configurable, at least, and not hardcoded. Getting some of my older and/or digitally challenged co-workers to adopt TWiki has also led me to suggest to some to use an empty password, in combination with sessions that only expire after a full day. It's a trade-off between anonymous editing and the TWiki not being used.
There might be a better way to do this, but untill then, please make it configurable.
Discarding, on the basis that we really don't want another config option and null passwords are definitely needed.
Re-opening this. We can't dictate how site operators need to run their site. Adding a new flag to configure is not bad IMHO, in fact this adds the flexibility to the whole system. admins who do not need it just leave it at the default (allow empty pwd.)
MinimumPasswordLength has been seen also; with 0 as allowed value would be another option.
Yes, that is a very sensible enhancement.
Thanks Crawford for acting so swiftly!