-
Improvement
-
Resolution: Unresolved
-
Minor
-
None
-
Future Dev
This improves upon MDL-67309.
Lets assume a scenario where a use has a password which has been compromised and is available in HIBP and we check that via in the password policy.
The user goes to login, the password is bad so we prompt them to change it if they can, or reset it if the auth plugin can't change it. The UX for 'change' is better because they are still logged in, their password gets improved, and they keep going. I think most sites would want this option.
But 'reset' is more secure. If a password is in HIBP then its usually pretty old. If we know it's been compromised we should not trust it at all, so it would be better to force the user to reset their password via other means.
So I think $CFG->passwordpolicycheckonlogin should be swapped from a checkbox to a select with options which are still compatible with the current 0 / 1 values:
0) do nothing
1) Force password change, or reset if they can't change it
2) Force a password reset