SMF Development > Applied or Declined Requests

Password expiration

(1/2) > >>

I've looked around and haven't been able to find a mod or feature for this. It doesn't seem like it would be too difficult and certainly would be a great security feature!

Basically, the ability to set password expiration, 30 days for example, so folks could login but have to change their password every 30 days and verify their email address. I know ... people are lazy, but they'll just have to do it.

I'm no coder, but I figure it could add a table to the DB at signup for password_date and simply check the date at each login? If this already exists please point me in the first direction!!

To me it sounds more like a mod request than a core feature.

robfromboston, if you like we can move this topic to mod requests board?

Bad, bad idea. Instead of users having strong passwords, they will begin to pick weak passwords that they are more likely to remember for the temporary period. Users will resort to things like password1 for the first one, password2 for the month after that, and so on.

This would be a good idea but not expiring every so often just an option for a moderator. On Google apps there is a similar feature. You can change a users password for them and check a box saying 'Require change of password on next login'. Then the next time the user logs in they have to change their password.

青山 素子:
It's not a bad idea, especially if it's an internal board and password policy is to require a change every so often (said group should be using a centralized authentication in such a case, anyway) or for boards of certain kinds. However, for general-purpose boards, it's a bad idea as it can lead untrained users to use much weaker passwords.

As password rotation isn't a generally-used feature, this might be better tested as a modification to check for popularity and stability. Of course, any feature acceptance is something only the developers can make.


[0] Message Index

[#] Next page

Go to full version