SMF Development > Next SMF Discussion

[2.1/mod] Password Force Change/ Password Flagging.

(1/5) > >>

Benchtech:
I have been discussing this on a similar request but I would like a variation.

I would like to be able to force a user to change their password upon the next login. When I have to reset users passwords for them the best I can do is tell them to change their password when they have logged in as I usually change it to something very simple in order to make the process as easy as possible. The trouble is users often don't bother to navigate to their profile and change their password and some don't know how. If they were forced to do this when an admin ticked the 'Require Password Change on Next Login' box then it would be much simpler. I have attached screenshotts below of how it is done on Google Apps.


Here admin has the option to change the password and also the option to force a change of password upon the next login.


This then pops up upon the next login of the user and the specified user cannot use any functionality of the website before this is changed.

I seriously believe this feature would improve security and also would be loved by admins all over the SMF community. Please include it  ;D ;D ;D

Kindred:
not that I disagree with the concept (although I'd never use it)

but why do you think this would improve security?
As has already been said - forcing users to change their password just means that they will either a) use a simplistic password or b) write it down, thus violating all security protocols. :P

However...   as I started out saying, it's not a bad idea...   security improvement (or not) aside...

:
The only time I'd ever see it being a good idea (bearing in mind that users can change their own password, and if they forget it can request a new one) is that you do a blanket force reset in the event that your site has been compromised.

Benchtech:

--- Quote from: Kindred on January 10, 2012, 04:41:24 PM ---not that I disagree with the concept (although I'd never use it)

but why do you think this would improve security?
As has already been said - forcing users to change their password just means that they will either a) use a simplistic password or b) write it down, thus violating all security protocols. :P

However...   as I started out saying, it's not a bad idea...   security improvement (or not) aside...

--- End quote ---

Say a user contacts you an they cannot access their account at all, or, a friend or someone you know forgets their password and needs it resetting. I reset it for them, it's no good making it complicated because they will just forget it again, I set something simple such as password or changeme. Now, without the option to force password changes there is no way to make sure they change their passwords, some users forget, some can't be bothered and some have no idea about security. Forcing them to change it ensures that they change their password if they like it or not, it also makes it alot easier than navigating to profile settings and I believe it would be a useful feature, especially for professional forums. I guess that is why Google have it.

Ben.

青山 素子:

--- Quote from: arrowtotheknee on January 10, 2012, 05:14:33 PM ---The only time I'd ever see it being a good idea (bearing in mind that users can change their own password, and if they forget it can request a new one) is that you do a blanket force reset in the event that your site has been compromised.

--- End quote ---

That's my first thought. It's also good if you are migrating to different servers and want to force a mass-refresh of passwords out of paranoia's sake.


--- Quote from: Benchtech on January 10, 2012, 05:43:27 PM ---Say a user contacts you an they cannot access their account at all, or, a friend or someone you know forgets their password and needs it resetting.

--- End quote ---

In general, the password reset functionality of SMF works well. Enter in your username and you get a password reset link at your registered e-mail address. I generally prefer self-service options where possible.

The best case for this feature is when creating user accounts directly and you want to force a new password to be chosen on the first login of that account.

For the ability to use this option in these types of situations, I think it's a good feature to consider implementing. It shouldn't be too difficult compared to other changes as it could be implemented with a single status flag that's checked on login.

Navigation

[0] Message Index

[#] Next page

Go to full version