[MDL-47830] Add password rotation restrictions - Moodle Tracker

XML

Word

Printable

Details

Type: Sub-task
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 2.7
Fix Version/s: 2.9
Component/s: Authentication
Labels:
- Totara
- ci
- triaged
- ui_change

Affected Branches:
MOODLE_27_STABLE
Fixed Branches:
MOODLE_29_STABLE
Pull from Repository:
https://github.com/skodak/moodle.git
Pull Master Branch:
wip_~~MDL-47830~~_m29_pwrotation
Pull Master Diff URL:
https://github.com/skodak/moodle/compare/master...wip_MDL-47830_m29_pwrotation
Testing Instructions:
Hide

1/ run phpunit tests
2/ disable password rotation restrictions and try changing password via change pw page and pw reset (regression testing only)
3/ enable password rotation restriction (note that current password at the time of enabling is not tracker, I was bitten by this a few times thinking it does not work)
4/ try changing own password - verify restriction is enforced
5/ try resetting own password - verify restriction is enforced
6/ signup as new user via email and verify the first password is tracked too

Places where password rotation is tracked and enforced:

forgotten password

change own password

user signup

Places where password rotation is NOT tracked and enforced:

using advanced user edit form - for security reasons nobody else should get any indication what was your password before!

user upload and automatic creation of passwords

web services
Show
1/ run phpunit tests 2/ disable password rotation restrictions and try changing password via change pw page and pw reset (regression testing only) 3/ enable password rotation restriction (note that current password at the time of enabling is not tracker, I was bitten by this a few times thinking it does not work) 4/ try changing own password - verify restriction is enforced 5/ try resetting own password - verify restriction is enforced 6/ signup as new user via email and verify the first password is tracked too Places where password rotation is tracked and enforced: forgotten password change own password user signup Places where password rotation is NOT tracked and enforced: using advanced user edit form - for security reasons nobody else should get any indication what was your password before! user upload and automatic creation of passwords web services

Description

There should be a way to say how many changes of passwords are required before reuse. This idea is to track and enforce restrictions only when changing own password via standard means - that is change password form and password reset process.

Attachments

Issue Links

caused a regression

MDL-48665 password reuse detection borked when resetting password

Closed

Activity

People

Assignee:: Petr Skoda

Reporter:: Petr Skoda

Integrator:: Sam Hemelryk

Tester:: Simey Lameze

Participants:: CiBoT, Damyon Wiese, Dan Poltawski, Eloy Lafuente (stronk7), Mary Cooch, Moodle HQ, Petr Skoda, Sam Hemelryk, Simey Lameze

Component watchers:: David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo

Votes:: 2 Vote for this issue

Watchers:: 9 Start watching this issue

Dates

Created:: 23/Oct/14 1:26 PM

Updated:: 07/May/15 1:37 AM

Resolved:: 06/Dec/14 4:07 AM

Fix Release Date:: 11/May/15