Require Password Change On Login

General discussion of development ideas and the approaches taken in the 3.x branch of phpBB. The next feature release of phpBB 3 will be 3.3/Proteus.
Forum rules
Please do not post support questions regarding installing, updating, or upgrading phpBB 3.2.x. If you need support for phpBB 3.2.x please visit the 3.2.x Support Forum on phpbb.com.

If you have questions regarding writing extensions please post in Extension Writers Discussion to receive proper guidance from our staff and community.
Post Reply
phynixx
Registered User
Posts: 22
Joined: Thu Sep 22, 2011 12:18 am

Require Password Change On Login

Post by phynixx » Thu Sep 22, 2011 2:07 am

Hi all. I've looked around for similar suggestions for 3.1, 3.2 & 4.0 and haven't come up with anything (although searching for 'password' linked to other very interesting suggestions). Anyways after what I hope was enough due diligence I'd like to make the following suggestion:

Details:
ACP -> Users And Groups -> Manage Users -> user_x -> Overview (or future equivalent):
  • - It'd be great to be able to have a 'Require password change on next login' checkbox that implements the necessary functionality
    - Option to set this default "checked" for all new users would be nice too so those that always want it can have it, and visa versa.
    - While possibly difficult to implement it would make sense that this would require their new password not to be their old password.
    - Could (probably) easily integrate with existing code of 'expire password' such that instead of writing lots of new code, just call whatever it calls.
Use Cases:

1.) You admin a 100% closed site wherein registrations are done entirely through the ACP and the initial password is chosen by the admin (what I have right now). You tell your users to change their password on first login. You even provide them a link to use as their "first login" which conveniently points right at the password change screen. But users, being users, ignore you. Months down the line you login to their account with the old password and PM them from their own account a friendly reminder all the while cursing because you wish the above feature was implemented. Damn users.

2.) You suspect a particular users' account may be compromised however you don't want to outright change their pwd & envoke support requests. Instead you want him to have to change it on next login. If it's compromised the un-auth'd user will either abandon the account or change the password. Option a.) yay.; b.) the auth'd user will envoke powers of 'forgot my password' have the temp sent to them, go and reset it and... yay.

3.) You admin a site where, for whatever reason, you are changing a user's password for them (perhaps the knob posted his password online) so you change it and provide it to him, however you want to make sure that they immediately change it once they get back in.

4.) I'm sure there's other use-cases that I can't think of so instead I'll simply say: there's got to be a reason why so many systems (bb and otherwise) come with the 'change password on next login' feature.

Anyways, that's all I've got. Hope it's of some value to the community.

Corollary that may/may not be possible/easy: Don't allow users to re-use passwords. A feature request for another day...

innov8ion
Registered User
Posts: 3
Joined: Sat Nov 26, 2011 9:58 pm

Re: Require Password Change On Login

Post by innov8ion » Sat Nov 26, 2011 10:00 pm

This would be very nice. Is there even a way for a user to change their own password? The only method I see is to make the user an admin and have them change their password from the ACP. But this is very, very, stupid... Help!

User avatar
Noxwizard
Support Team Leader
Support Team Leader
Posts: 135
Joined: Sun Dec 18, 2005 5:44 pm
Location: Texas
Contact:

Re: Require Password Change On Login

Post by Noxwizard » Sun Nov 27, 2011 2:19 am

innov8ion wrote:Is there even a way for a user to change their own password? The only method I see is to make the user an admin and have them change their password from the ACP. But this is very, very, stupid... Help!
User Control Panel --> Profile --> Edit account settings

innov8ion
Registered User
Posts: 3
Joined: Sat Nov 26, 2011 9:58 pm

Re: Require Password Change On Login

Post by innov8ion » Sun Nov 27, 2011 2:25 am

Noxwizard wrote:
innov8ion wrote:Is there even a way for a user to change their own password? The only method I see is to make the user an admin and have them change their password from the ACP. But this is very, very, stupid... Help!
User Control Panel --> Profile --> Edit account settings
Thanks so much, and I apologize if this was off-topic.
Last edited by innov8ion on Sun Nov 27, 2011 2:58 am, edited 2 times in total.

Danielx64
Registered User
Posts: 304
Joined: Mon Feb 08, 2010 3:42 am

Re: Require Password Change On Login

Post by Danielx64 » Sun Nov 27, 2011 2:56 am

I can think of a different use case, forum get hacked, someone steals a copy of the phpbb database. While it is rather hard to crack the password, you want to do the right thing and make everyone change their password. So in this case you will want to add force password change for "all" users in one click (maybe 2 so that you can have "Are you sure" message)

Should this be a RFC?

User avatar
imkingdavid
Registered User
Posts: 1050
Joined: Thu Jul 30, 2009 12:06 pm

Re: Require Password Change On Login

Post by imkingdavid » Mon Dec 12, 2011 2:47 pm

*Daniel wrote:I can think of a different use case, forum get hacked, someone steals a copy of the phpbb database. While it is rather hard to crack the password, you want to do the right thing and make everyone change their password. So in this case you will want to add force password change for "all" users in one click (maybe 2 so that you can have "Are you sure" message)

Should this be a RFC?
I support for the feature, and it seems a few other people do as well, so I think it could be posted as an RFC.

Note that the RFC should include individual user setting for requiring them to change their password as well as a global user setting which will require all users to change their password.
phynixx wrote:While possibly difficult to implement it would make sense that this would require their new password not to be their old password.
Wouldn't be too hard. Even though the password isn't stored plaintext, we can still compare the new password to see if it would validate against the old hash and not accept it if so. Basically reverse of logging in (make sure it doesn't match instead of make sure it does).

Logic flow:
-Administrator checks "Require new password" in ACP for one or all users
-User logs in using old password, immediately redirected to new screen with two fields ("New password"/"Confirm new password") and an explanation (something to the effect of "Administrator has required you to set a new password. The new password cannot be the same as the old password." as well as any password strength requirements if we implement that).
-User enters password
----Same as old password, error; require new password
----Different from old password, does not meet password strength requirements, error; require new password
----Different from old password, meets strength requirements, success; continue to original destination
-User attempts to view another page before changing password; redirect back to password change screen
I do custom MODs. PM for a quote!
View My: MODs | Portfolio
Please do NOT contact for support via PM or email.
Remember, the enemy's gate is down.

Danielx64
Registered User
Posts: 304
Joined: Mon Feb 08, 2010 3:42 am

Re: Require Password Change On Login

Post by Danielx64 » Tue Dec 13, 2011 1:05 am


Danielx64
Registered User
Posts: 304
Joined: Mon Feb 08, 2010 3:42 am

Re: Require Password Change On Login

Post by Danielx64 » Sat Jul 28, 2012 2:04 am

Any updates to this?

Post Reply