Password expiration

robfromboston · November 27, 2011, 08:06:28 PM

I've looked around and haven't been able to find a mod or feature for this. It doesn't seem like it would be too difficult and certainly would be a great security feature!

Basically, the ability to set password expiration, 30 days for example, so folks could login but have to change their password every 30 days and verify their email address. I know ... people are lazy, but they'll just have to do it.

I'm no coder, but I figure it could add a table to the DB at signup for password_date and simply check the date at each login? If this already exists please point me in the first direction!!

Joker™ · January 04, 2012, 11:08:22 AM

To me it sounds more like a mod request than a core feature.

robfromboston, if you like we can move this topic to mod requests board?

Arantor · January 04, 2012, 09:01:08 PM

Bad, bad idea. Instead of users having strong passwords, they will begin to pick weak passwords that they are more likely to remember for the temporary period. Users will resort to things like password1 for the first one, password2 for the month after that, and so on.

Benchtech · January 08, 2012, 05:19:03 PM

This would be a good idea but not expiring every so often just an option for a moderator. On Google apps there is a similar feature. You can change a users password for them and check a box saying 'Require change of password on next login'. Then the next time the user logs in they have to change their password.

青山素子 · January 08, 2012, 08:18:53 PM

It's not a bad idea, especially if it's an internal board and password policy is to require a change every so often (said group should be using a centralized authentication in such a case, anyway) or for boards of certain kinds. However, for general-purpose boards, it's a bad idea as it can lead untrained users to use much weaker passwords.

As password rotation isn't a generally-used feature, this might be better tested as a modification to check for popularity and stability. Of course, any feature acceptance is something only the developers can make.

Benchtech · January 10, 2012, 03:02:33 PM

Quote from: 青山素子 on January 08, 2012, 08:18:53 PM
It's not a bad idea, especially if it's an internal board and password policy is to require a change every so often (said group should be using a centralized authentication in such a case, anyway) or for boards of certain kinds. However, for general-purpose boards, it's a bad idea as it can lead untrained users to use much weaker passwords.

As password rotation isn't a generally-used feature, this might be better tested as a modification to check for popularity and stability. Of course, any feature acceptance is something only the developers can make.

I do agree with that, I'd use it for the purposes of resetting passwords. You can reset someones password and tell them to change their password but they often don't bother. I love resetting passwords with Google Apps and making it so the user has to change it before they can go any further. This is perticually good for moderators who have power on the forum.

青山素子 · January 10, 2012, 03:21:20 PM

Password rotation is different than flagging a one-time password change. I actually like the idea of a flag that will force a user to set a new password. Perhaps you can put this as a new feature request?

Benchtech · January 10, 2012, 03:28:51 PM

Quote from: 青山素子 on January 10, 2012, 03:21:20 PM
Password rotation is different than flagging a one-time password change. I actually like the idea of a flag that will force a user to set a new password. Perhaps you can put this as a new feature request?

Good idea I will do this, thanks

News:

Password expiration