I was wondering if there was a feature/plugin that could enable any of the following:
Password reset forced every X number of days.
Note that this is generally considered weakening the password used, because most users just append something like the current month as a number to their universal password.
I answered a similar request a while back but I don’‘t know if the original poster ever took a stab at developing such a plugin. Originally I was thinking that a force password change option would be a nice addition to the Registration plugin but it might make more sense to develop a separate plugin that has all the suggestions you listed above. Such a plugin is still on my TODO list but I haven’'t had an opportunity to work on it.
The reason I asked is because I work for an agency that periodically will issue mandates to enforce a 100% password change in addition to enforcing password complexity and aging policies.
We haven’‘t tied it to AD/LDAP as we are only using it for small user communities and only internally at this time. If we decided to field a larger scope solution - then I’‘m sure we’'d go ahead and tie them together in some fashion.
I’‘m keenly interested in that plugin you mentioned however, as I’'m sure most federal/gvmt agencies would be, to help comply with existing security policies.
Note that this is generally considered weakening the password used, because most users just append something like the current month as a number to their universal password.
That’‘s where aging comes into play by keeping X number of previous passwords and ensuring that no more than X% of the characters match positionally. Usually you’'d check to see if the password matches the previous one, then check to see how much of the password matches the previous one. If > X% - reject password change. You could even take it a step farther and check based on shifting - looking for the sly user to shift the universal password positionally within the new password.
You can try to catch people - but they go to great lengths to keep their password unchanged (mostly). I agree with you there.
All I’'m trying to do is find a way to comply with agency guidelines as to how passwords are maintained and expire.