DamonT Posted August 19, 2022 Posted August 19, 2022 The current option to force password changes sends an email to all forced users. This can generate anxiety because people think something bad has happened. Is it possible to force a change of passwords in such a way that the user only gets a message after entering the site and trying to log in? He should get info that his password has expired and he must now reset it for his security. Such a procedure does not arouse suspicion. aia 1
Adriano Faria Posted August 19, 2022 Posted August 19, 2022 1 hour ago, Adriano Faria said: Sorry, I posted email change; not password. DamonT 1
DamonT Posted August 19, 2022 Author Posted August 19, 2022 @Adriano Faria no problem, this plugin is also great, but not for my usecase 😉
Stuart Silvester Posted August 19, 2022 Posted August 19, 2022 Forcing passwords to expire is generally considered a bad security practise now. Enforcing it may actually reduce the security of your member accounts instead of increasing it. Here are two useful resources, but you can find many more online. https://www.ncsc.gov.uk/blog-post/problems-forcing-regular-password-expiry https://pages.nist.gov/800-63-3/sp800-63b.html#memsecretver "Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator." DamonT 1
DamonT Posted August 19, 2022 Author Posted August 19, 2022 I understand. However, I wanted to lock accounts that have not been used for a long time in such a way for safety. Then, after trying to log in, the user would have to verify himself with access to his email and would change his password in the process.
aia Posted August 19, 2022 Posted August 19, 2022 31 minutes ago, Stuart Silvester said: Forcing passwords to expire is generally considered a bad security practise now. Enforcing it may actually reduce the security of your member accounts instead of increasing it. There are other use cases where this feature can be useful. Not just for resetting "old" passwords. Sometimes it can be useful to reset a user's password if it has been leaked and the user used the same password on your site as he did on the source of the leak. DamonT 1
Stuart Silvester Posted August 22, 2022 Posted August 22, 2022 On 8/19/2022 at 1:28 PM, 13. said: There are other use cases where this feature can be useful. Not just for resetting "old" passwords. Sometimes it can be useful to reset a user's password if it has been leaked and the user used the same password on your site as he did on the source of the leak. That's a huge task in itself that I don't believe any community actually does or has the resources to do (haveibeenpwned databases are between 12 and 18gb). At the same time though, that's also very difficult to do because you don't have the plain text password to compare with the database. In reality, web browsers do a much better job at this with checking the password as they sign in. At that point the user should go and change their password if the browser tells them that it has been exploited.
Recommended Posts