Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-47829 Account security improvements META
  3. MDL-47830

Add password rotation restrictions

XMLWordPrintable

    • MOODLE_27_STABLE
    • MOODLE_29_STABLE
    • wip_MDL-47830_m29_pwrotation
    • Hide

      1/ run phpunit tests
      2/ disable password rotation restrictions and try changing password via change pw page and pw reset (regression testing only)
      3/ enable password rotation restriction (note that current password at the time of enabling is not tracker, I was bitten by this a few times thinking it does not work)
      4/ try changing own password - verify restriction is enforced
      5/ try resetting own password - verify restriction is enforced
      6/ signup as new user via email and verify the first password is tracked too

      Places where password rotation is tracked and enforced:

      • forgotten password
      • change own password
      • user signup

      Places where password rotation is NOT tracked and enforced:

      • using advanced user edit form - for security reasons nobody else should get any indication what was your password before!
      • user upload and automatic creation of passwords
      • web services
      Show
      1/ run phpunit tests 2/ disable password rotation restrictions and try changing password via change pw page and pw reset (regression testing only) 3/ enable password rotation restriction (note that current password at the time of enabling is not tracker, I was bitten by this a few times thinking it does not work) 4/ try changing own password - verify restriction is enforced 5/ try resetting own password - verify restriction is enforced 6/ signup as new user via email and verify the first password is tracked too Places where password rotation is tracked and enforced: forgotten password change own password user signup Places where password rotation is NOT tracked and enforced: using advanced user edit form - for security reasons nobody else should get any indication what was your password before! user upload and automatic creation of passwords web services

      There should be a way to say how many changes of passwords are required before reuse. This idea is to track and enforce restrictions only when changing own password via standard means - that is change password form and password reset process.

            skodak Petr Skoda
            skodak Petr Skoda
            Sam Hemelryk Sam Hemelryk
            Simey Lameze Simey Lameze
            Votes:
            2 Vote for this issue
            Watchers:
            9 Start watching this issue

              Created:
              Updated:
              Resolved:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.