Jump to content

Forcing a password change without sending an email


DamonT

Recommended Posts

The current option to force password changes sends an email to all forced users. This can generate anxiety because people think something bad has happened. Is it possible to force a change of passwords in such a way that the user only gets a message after entering the site and trying to log in? He should get info that his password has expired and he must now reset it for his security. Such a procedure does not arouse suspicion.

Link to comment
Share on other sites

Forcing passwords to expire is generally considered a bad security practise now. Enforcing it may actually reduce the security of your member accounts instead of increasing it.

Here are two useful resources, but you can find many more online.

 

Link to comment
Share on other sites

I understand. However, I wanted to lock accounts that have not been used for a long time in such a way for safety. Then, after trying to log in, the user would have to verify himself with access to his email and would change his password in the process.

Link to comment
Share on other sites

31 minutes ago, Stuart Silvester said:

Forcing passwords to expire is generally considered a bad security practise now. Enforcing it may actually reduce the security of your member accounts instead of increasing it.

There are other use cases where this feature can be useful. Not just for resetting "old" passwords. Sometimes it can be useful to reset a user's password if it has been leaked and the user used the same password on your site as he did on the source of the leak.

Link to comment
Share on other sites

On 8/19/2022 at 1:28 PM, 13. said:

There are other use cases where this feature can be useful. Not just for resetting "old" passwords. Sometimes it can be useful to reset a user's password if it has been leaked and the user used the same password on your site as he did on the source of the leak.

That's a huge task in itself that I don't believe any community actually does or has the resources to do (haveibeenpwned databases are between 12 and 18gb). At the same time though, that's also very difficult to do because you don't have the plain text password to compare with the database.

In reality, web browsers do a much better job at this with checking the password as they sign in. At that point the user should go and change their password if the browser tells them that it has been exploited.

Link to comment
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...