[Request] Automatic password renewal after x days

[Q-collective]

Over here I wrote on this subject:

When I went through the security page, I was wondering if there is a way to automatically let a user reset a password after any number of days, while he cannot reuse his old password for another number of days? I know this is a feature in vBulletin and I love it as it enhances security for obvious reasons.

Maybe I need to install a mod though, I'm not sure.

I was told this is not possible without a mod and no mod currently exists. So, here I am, requesting for one

Version: 2.0

Description: See quote

Permissions: Admin-only

Feature Set:
- A way to switch this mod on or off
- A box where one can fill in the number of days after which the password of the users expire
- A box where one can fill in the number of days old passwords may not be reused
- A way to select membergroups included or excluded from the operation of this mod

[EkoIce]

+1 I would like to have this mod too

[Another Rob]

I've also written about this as I know other forums have this feature and it would be a GREAT security addition.

[Kindred]

Since this is a request for a mod, it's all well and good...

However, I do want to point out that requiring a user to change the password is **NOT** a great security addition.
it encourages users to use simple (and thus easily remembered) passwords, or to write down the password or (even worse) keep a text file list of all passwords.

In other words... it actually WEAKENS security, while presenting the illusion of making it stronger.

[Q-collective]

Since this is a request for a mod, it's all well and good...

However, I do want to point out that requiring a user to change the password is **NOT** a great security addition.
it encourages users to use simple (and thus easily remembered) passwords, or to write down the password or (even worse) keep a text file list of all passwords.

In other words... it actually WEAKENS security, while presenting the illusion of making it stronger.

I believe you are wrong. SMF already has the option the set a password strength, if you set this to "strong", easy passwords are simply not an option.

Furthermore, users can always write down their passwords, this is true. But it is true whether or not this mod would be active. Also, it will be impossible for hackers to gather passwords online if the password is on a piece of paper... And if it needs to be changed every once in a while, it excludes the possibility of users using the same password for everything, thus increasing the security of the user itself in question. Lastly, even if a user is hacked, it can only stay hacked for the amount of time that the password remains valid.

Thus it increases security from our current position. This is quite obvious.

[Kindred]

and I disagree....

forcing a user to change passwords is **NOT** a security measure.
It makes the admin feel better... fine, but it has no real, poistive effect on the actual security of the user's account.

[Matthew K.]

Sounds like a cool idea, although I don't necessarily agree with Kindred I do believe it could be true in some cases.

Are you willing to donate for this modification to be written?

[Q-collective]

Sounds like a cool idea, although I don't necessarily agree with Kindred I do believe it could be true in some cases.

Yeah, you can't make a foolproof system. Emphasis on fool... If users insist on being idiots, then there is only so much you can do.

Are you willing to donate for this modification to be written?

I don't mind on donating in an arbitrary sense, but it kinda depends on how much. I'll see the offers. Perhaps we can pool some money between interested people.