DamonT Posted August 19, 2022 Share Posted August 19, 2022 The current option to force password changes sends an email to all forced users. This can generate anxiety because people think something bad has happened. Is it possible to force a change of passwords in such a way that the user only gets a message after entering the site and trying to log in? He should get info that his password has expired and he must now reset it for his security. Such a procedure does not arouse suspicion. aia 1 Link to comment Share on other sites More sharing options...
Adriano Faria Posted August 19, 2022 Share Posted August 19, 2022 Link to comment Share on other sites More sharing options...
Adriano Faria Posted August 19, 2022 Share Posted August 19, 2022 1 hour ago, Adriano Faria said: Sorry, I posted email change; not password. DamonT 1 Link to comment Share on other sites More sharing options...
DamonT Posted August 19, 2022 Author Share Posted August 19, 2022 @Adriano Faria no problem, this plugin is also great, but not for my usecase 😉 Link to comment Share on other sites More sharing options...
Stuart Silvester Posted August 19, 2022 Share Posted August 19, 2022 Forcing passwords to expire is generally considered a bad security practise now. Enforcing it may actually reduce the security of your member accounts instead of increasing it. Here are two useful resources, but you can find many more online. https://www.ncsc.gov.uk/blog-post/problems-forcing-regular-password-expiry https://pages.nist.gov/800-63-3/sp800-63b.html#memsecretver "Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator." DamonT 1 Link to comment Share on other sites More sharing options...
DamonT Posted August 19, 2022 Author Share Posted August 19, 2022 I understand. However, I wanted to lock accounts that have not been used for a long time in such a way for safety. Then, after trying to log in, the user would have to verify himself with access to his email and would change his password in the process. Link to comment Share on other sites More sharing options...
aia Posted August 19, 2022 Share Posted August 19, 2022 31 minutes ago, Stuart Silvester said: Forcing passwords to expire is generally considered a bad security practise now. Enforcing it may actually reduce the security of your member accounts instead of increasing it. There are other use cases where this feature can be useful. Not just for resetting "old" passwords. Sometimes it can be useful to reset a user's password if it has been leaked and the user used the same password on your site as he did on the source of the leak. DamonT 1 Link to comment Share on other sites More sharing options...
Stuart Silvester Posted August 22, 2022 Share Posted August 22, 2022 On 8/19/2022 at 1:28 PM, 13. said: There are other use cases where this feature can be useful. Not just for resetting "old" passwords. Sometimes it can be useful to reset a user's password if it has been leaked and the user used the same password on your site as he did on the source of the leak. That's a huge task in itself that I don't believe any community actually does or has the resources to do (haveibeenpwned databases are between 12 and 18gb). At the same time though, that's also very difficult to do because you don't have the plain text password to compare with the database. In reality, web browsers do a much better job at this with checking the password as they sign in. At that point the user should go and change their password if the browser tells them that it has been exploited. Link to comment Share on other sites More sharing options...
Recommended Posts