password_tab should require old password
iva2k - June 14, 2009 - 06:32
| Project: | Password policy |
| Version: | 6.x-1.x-dev |
| Component: | Code |
| Category: | feature request |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | active |
Description
Though user profile does not request old password in order to change user password, it is still bad security practice to be copied into such a great module as password_policy, which is all about security. I am in strong favor of making default setting to require old password for password change on the tab. Call it level 1.
The 2nd level is to require old password even if password_tab is not used.
These two levels make up a good place for a checkbox "Require old password" on policy form. There should be a bypass logic when user gets there from a single-time link, and changes password in a short time, so he/she should not remember that auto-generated password.