On 2017 January, 27th, Odoo send us an e-mail saying that there is a security issue on Odoo due to bad security configuration. You can read the security advisory ODOO-SA-2017-01-27-1 here.
The issue could give access to attacker to run some arbitrary commands on the Odoo machine by installing an Odoo module remotely. You are concerned if you have Odoo instance running with default login/password.
In OCA mailing-list, Nhomar Hernandez (from Vauxoo.com) tells us that a community module called 'password_security' can be used to get a better security and to improve password management.
Description of the 'password_security' module
This module can be downloaded on this GitHub OCA repository : https://github.com/OCA/server-tools
It is available from version 6.1 to 10.0 of Odoo.
This module allows you to define more precisely a password policy for your Odoo users. You can define a passowrd policy based on: Password age, Minimum password length, Do not use same password as before, At least one lowercase letter, At least one uppercase letter, At least one number, At least one special characters, Minimum time between two password reset.
How to use 'password_security' module
To define a password policy, you have first to download and install the 'password_security' module.
After this first step, you can define a different password policy for each company on your database.
To configure password policy on your company, you have to follow these steps:
- Go to Settings main menu,
- Then, click on Companies left menu and open the company that you need to configure,
- In the company form view, open the Password Policy tab,
- In the Timings group, you can define the validity age of a password (Days field) and the minimum number of hours between two password reset requests (Minimum Hours field),
- In the Extra group, you can define the minimum length of a password (Characters) and the number of old passwords that the user couldn't use (History) − If you put a negative number no old passwords could be used, if you put 0, this feature will be inactive,
- In the Required Characters group, you can define if the password should contain at least one of these characters.