Posted by iva2k on June 14, 2009 at 6:32am
| Project: | Password policy |
| Version: | 6.x-1.x-dev |
| Component: | Code |
| Category: | feature request |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | active |
Issue Summary
Though user profile does not request old password in order to change user password, it is still bad security practice to be copied into such a great module as password_policy, which is all about security. I am in strong favor of making default setting to require old password for password change on the tab. Call it level 1.
The 2nd level is to require old password even if password_tab is not used.
These two levels make up a good place for a checkbox "Require old password" on policy form. There should be a bypass logic when user gets there from a single-time link, and changes password in a short time, so he/she should not remember that auto-generated password.
Comments
#1
+1
I've attached password change screenshots from a couple popular services. They all implement this behavior.
#2
subscribe
#3
+1 and increasing the priority since this may be considered as security problem.
#4
Any reasons why this has not been considered for the final 1.0 release?
#5
This is implemented by the Password change confirm module (a back port of D7 functionality).
#6
The module you have mentioned does not support the "Password change tab" sub module of this module. And it does NOT require the current password to change it, it just asks for the new password twice instead of once.
#7
Password Policy is a backend module used to enforce password restrictions and manage forced expirations. There is nothing inherently UI-driven about this module.
Are you suggesting that we re-implement the functionality of the Password change confirm module inside Password Policy. It seems to me that this should be a patch to _that_ module to support an additional form ID. Modifying this module to add that field would be a substantially new feature (essentially absorbing this other module) or create a specific dependency on that module. Either way it doesn't seem like a reasonable fit.
I'd be glad to discuss this more, but I don't see this fitting in. You say Password Policy is "all about security", but that's an overgeneralized explanation and makes it sound like Password Policy should fill all security requirements around passwords. That's simply not the case.
#8
#9
@erikwebb
You are talking about password policy module and rightfully reject the points made above from that viewpoint. However you missed the main starting point - the issue is about password_tab module which is packaged inside password policy. It is in fact a separate module with very different functionality than password policy itself. So you should step back and look at what password_tab module is about and what it's mission. Then I hope you will accept the points made, starting with the one that it is a UI module. It also replaces core password functionality, and makes it less secure by removing the requirement (that exists in core password) for entering old password in order to change user password. Maybe things would be better and clearer if password_tab module was a separate project, as there is no real dependency on password policy.
#10
I'm sorry, it totally skipped my mind that the normal password box requires the current password (I'm too accustomed to being an admin user). You're right.
Should be easy to patch - care to give it a shot?
#11
Sorry, I don't have time for that.
Here are the references I collected on the subject: