I was wondering if there was a feature/plugin that could enable any of the following:
Password reset forced every X number of days.
Immediate system wide password expiration and reset.
System generated passwords -> emailed to user @ account email address.
Password history/aging definable to remember X previous passwords.
Strict password checking to enforce set standards. (upper, lower, numeric, special character, etc.)
Thanks in advance for any information you can provide.
-J
Hi J,
there’'s no such plugin.
If you are using AD/LDAP for auth. you may already have a very good password policy.
LG
jidol wrote:
I was wondering if there was a feature/plugin that could enable any of the following:
Password reset forced every X number of days.
Note that this is generally considered weakening the password used, because most users just append something like the current month as a number to their universal password.
Surely that’‘s not the case; if you never have to change your password then people generally won’'t.
Therefore, if the password is compromised it’'ll remain that way.
A sensible password policy (i.e. one that doesn’'t force the users into using a pattern) is better than none at all, IMHO.
Hi Jeremy,
I answered a similar request a while back but I don’‘t know if the original poster ever took a stab at developing such a plugin. Originally I was thinking that a force password change option would be a nice addition to the Registration plugin but it might make more sense to develop a separate plugin that has all the suggestions you listed above. Such a plugin is still on my TODO list but I haven’'t had an opportunity to work on it.
Regards,
Ryan
The reason I asked is because I work for an agency that periodically will issue mandates to enforce a 100% password change in addition to enforcing password complexity and aging policies.
We haven’‘t tied it to AD/LDAP as we are only using it for small user communities and only internally at this time. If we decided to field a larger scope solution - then I’‘m sure we’'d go ahead and tie them together in some fashion.
I’‘m keenly interested in that plugin you mentioned however, as I’'m sure most federal/gvmt agencies would be, to help comply with existing security policies.
Thanks Again.
-J
anlumo wrote:
Note that this is generally considered weakening the password used, because most users just append something like the current month as a number to their universal password.
That’‘s where aging comes into play by keeping X number of previous passwords and ensuring that no more than X% of the characters match positionally. Usually you’'d check to see if the password matches the previous one, then check to see how much of the password matches the previous one. If > X% - reject password change. You could even take it a step farther and check based on shifting - looking for the sly user to shift the universal password positionally within the new password.
You can try to catch people - but they go to great lengths to keep their password unchanged (mostly). I agree with you there.
All I’'m trying to do is find a way to comply with agency guidelines as to how passwords are maintained and expire.
-J