Create a drush command to change passwords on accounts that are not actively used

Given that passwords can take certain formats where the first 3 characters have special meaning, it may also be nice to do accept an argument for the contents of the first 3 characters of the password and then do the update on any accounts that match that.

Also, given that this could take a long time, it might make sense to do this for accounts in hunks.

My thought is that it would be in this module (or at least easy to achieve, like if there were an option to print a list of emails that got changed so the list could be imported to mailchimp) just to keep everything together. That said, I'd be fine if the initial version of this code didn't send emails and it became a followup issue.

It seems like a definite improvement to not re-hash the same users. That would be a performance killer on a large site. You could either have another table to track who has had this happen to them (and what their timestamp was at that time, I guess, so you know if/when to hit them again) OR set the hash to something like ZZZ and then a hash which Drupal's login process should never allow to succeed. That way you know not to re-hash anyone whose password is like 'ZZZ%'.

Another faster solution could be:

update users set pass = concat('ZZZ', sha(concat(pass, md5(rand())))) where...your conditions here.

Definitely getting there - thanks Matt!

+function hook_permission() {
+  return array(
+    'administer paranoia' => array(
+      'title' => t('Administer paranoia'),
+      'description' => t('Perform administration tasks for the Paranoia module.'),
+    ),
+  );
+}

This permission seems like it should have 'restrict access' => TRUE. Not because it presents a real risk, more because it's possible for someone to be a nuisance.

+function paranoia_mail($key, &$message, $params) {
+  $account = user_load($params['uid']);
+
+  $options = array(
+    'langcode' => $message['language']->language,
+  );

Maybe move those inside the case statement since at least the user_load is expensive and not necessary in 99% of the calls to hook_mail.

Looks solid. Let's leave it at "needs review" for a bit in case anyone else has ideas?

Thanks!

Here's a re-roll and slight cleanup (added comment to explain the ZZZ and inlined some temp variables that were used once in the mail function).

OK, here's a patch and an interdiff of what I changed since #10.
* Added some usage docs to the README.txt
* Cleaned up a few random things.
* Renamed the function hook_permission which wasn't firing :)
* Reduced or removed some comments that seemed unnecessary or unnecessarily long.

The error is just because of this line using short array syntax:

+  watchdog('paranoia', 'Queued @count users to have their password reset', ['@count' => $count]);	

Thanks, banviktor!

Moving this so it can be ported to Drupal 8.

Seems like a good idea, coltrane.

@banviktor, want to work on that?

Thanks, @banviktor. Now applied to 7.x and back to be ported to 8.x.