force password change on next login
deekayen - August 6, 2008 - 22:44
| Project: | Password policy |
| Version: | 5.x-1.x-dev |
| Component: | Miscellaneous |
| Category: | feature request |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | active |
Jump to:
Description
If a user other than the account owner changes the password on the account, when the account owner logs in, force the account owner to change their password. Windows Server has a similar feature (use must change password on next logon checkbox).
#1
This isn't optional for secure sites.
Drupal sends password information via plaintext E-mail, immediately compromising security. Also, the automatic password should expire after enough time has passed to allow for the user to receive the E-mail and log in. The greater the intervening time, the greater the security risk.
#2
See: Force users to change password on first login
#3
Deekayen, could this feature be moved to the login_security module? it makes sense to have it there. In fact, there's a portion of code (you developed) that fires up on 1st time login..