[RFC]Require Password Change On Login

Note: We are moving the topics of this forum and it will be deleted at some point

Publish your own request for comments/change or patches for the next version of phpBB. Discuss the contributions and proposals of others. Upcoming releases are 3.2/Rhea and 3.3.
Post Reply
Danielx64
Registered User
Posts: 304
Joined: Mon Feb 08, 2010 3:42 am

[RFC]Require Password Change On Login

Post by Danielx64 »

This topic was created due to this topic: viewtopic.php?f=105&t=41667

What:

Require Password Change On Login allows admins to force ether all, a selected group or a selected user to change their password.

Why?:
1.) You admin a 100% closed site wherein registrations are done entirely through the ACP and the initial password is chosen by the admin (what I have right now). You tell your users to change their password on first login. You even provide them a link to use as their "first login" which conveniently points right at the password change screen. But users, being users, ignore you. Months down the line you login to their account with the old password and PM them from their own account a friendly reminder all the while cursing because you wish the above feature was implemented. Damn users.

2.) You suspect a particular users' account may be compromised however you don't want to outright change their pwd & envoke support requests. Instead you want him to have to change it on next login. If it's compromised the un-auth'd user will either abandon the account or change the password. Option a.) yay.; b.) the auth'd user will envoke powers of 'forgot my password' have the temp sent to them, go and reset it and... yay.

3.) You admin a site where, for whatever reason, you are changing a user's password for them (perhaps the knob posted his password online) so you change it and provide it to him, however you want to make sure that they immediately change it once they get back in.

4.) I'm sure there's other use-cases that I can't think of so instead I'll simply say: there's got to be a reason why so many systems (bb and otherwise) come with the 'change password on next login' feature.
5.) Forums get hacked, someone steals a copy of the database and you want to do the right thing by asking everyone to change theor password. While it is rather hard to crack the password as it not in plain text, you just (as a admin) want to do the right thing.

How:

An option in the ACP that let admins click on to require all users to change their password. To make sure that it doesn't get clicked on by mistake, the admin would be asked if they are sure if they want to do this. There should also be an option that let admins force password change for a user or menbers in a certan group.

Permissions:

I think this is overkill but maybe allow only the founder to do this?
Logic flow:
-Administrator checks "Require new password" in ACP for one or all users
-User logs in using old password, immediately redirected to new screen with two fields ("New password"/"Confirm new password") and an explanation (something to the effect of "Administrator has required you to set a new password. The new password cannot be the same as the old password." as well as any password strength requirements if we implement that).
-User enters password
----Same as old password, error; require new password
----Different from old password, does not meet password strength requirements, error; require new password
----Different from old password, meets strength requirements, success; continue to original destination
-User attempts to view another page before changing password; redirect back to password change screen
I hope I got everything covered. If not, please let me know.

MartinTruckenbrodt
Posts: 171
Joined: Sun Jan 29, 2006 1:00 pm
Location: Germany
Contact:

Re: [RFC]Require Password Change On Login

Post by MartinTruckenbrodt »

Hello,
+1!!!

BTW for possible coders: ADAP is adding a similar feature to force email address change to Olympus. But it offers no feature to require/force all users by now. If somebody want's to do it (I don't have the skills to create patches!) so please let me know. I will help you with explainations for my code and so on.

Bye Martin
Advanced Block MOD 1.1.1 has been released! - Prevent spam on your phpBB3 board with Stop Forum Spam, BotScout, Akismet, Project Honey Pot and several IP-RBL and Domain-RBL DNS blacklists! - My MODs

KnocksX
Registered User
Posts: 80
Joined: Thu Jul 19, 2012 2:03 am

Re: [RFC]Require Password Change On Login

Post by KnocksX »

My site was compromised in a hacker attack, and I suspect a keylogging virus. I need all my Moderators to change their passwords ASAP, and this feature is extremely important for security.

ecwpa
Registered User
Posts: 181
Joined: Mon Jan 24, 2005 2:10 am
Contact:

Re: [RFC]Require Password Change On Login

Post by ecwpa »

I like the idea.

Somehow related, a few months ago Steam users database was compromised too but they already had a really neat feature under settings called "log me out from every device but this", this is great in case users think they forgot to log out from a public computer or something similar and they don't want to change their current password.
Slightly better English than it was in 2005, still improving :D

User avatar
MichaelC
Development Team
Development Team
Posts: 889
Joined: Thu Jan 28, 2010 6:29 pm

Re: [RFC]Require Password Change On Login

Post by MichaelC »

+1
Formerly known as Unknown Bliss
psoTFX wrote: I went with Olympus because as I said to the teams ... "It's been one hell of a hill to climb"
No unsolicited PMs please except for quotes.


User avatar
Pony99CA
Registered User
Posts: 986
Joined: Sun Feb 08, 2009 2:35 am
Location: Hollister, CA
Contact:

Re: [RFC]Require Password Change On Login

Post by Pony99CA »

While this is certainly a good idea, the following use case is suspect:
You suspect a particular users' account may be compromised however you don't want to outright change their pwd & envoke support requests. Instead you want him to have to change it on next login. If it's compromised the un-auth'd user will either abandon the account or change the password. Option a.) yay.; b.) the auth'd user will envoke powers of 'forgot my password' have the temp sent to them, go and reset it and... yay.
First, scenario B is kind of silly. The admin could just change the password himself and the user could use the forgotten password use case when he found that he couldn't log in. If an account is compromised, you shouldn't let the hacker be able to change the password.

Second, wouldn't it be better to change the user's password via the ACP and have the system send a new password E-mail to the user? Currently, changing the user's password via the ACP does not generate that E-mail. While the user could use the forgotten password use case without the E-mail, it's nicer to let the user know that the password was changed by an admin than to make the user think that he's getting forgetful. ;)

This E-mail could be done one of two ways:
  • The E-mail explains that the admin reset the user's password and includes the new password. Of course, as E-mail is plaintext, sending the new password should automatically set the Password change required flag for the user.
  • The E-mail explains that the admin reset the user's password and tells the user to use the forgotten password procedure (including a link to that page, of course) to regain access to the board.
Could we add sending that E-mail to the RFC (perhaps by broadening the RFC a bit if necessary)?

Steve
Silicon Valley Pocket PC (http://www.svpocketpc.com)
Creator of manage_bots and spoof_user (ask me)
Need hosting for a small forum with full cPanel & MySQL access? Contact me or PM me.


Post Reply