[MDL-68028] Improved $CFG->passwordpolicycheckonlogin with preference to reset vs change password - Moodle Tracker

XML

Word

Printable

Details

Type: Improvement
Status: Open
Priority: Minor
Resolution: Unresolved
Affects Version/s: Future Dev
Fix Version/s: None
Component/s: Authentication
Labels:
- CatalystIT
- partner

Description

This improves upon ~~MDL-67309~~.

Lets assume a scenario where a use has a password which has been compromised and is available in HIBP and we check that via in the password policy.

The user goes to login, the password is bad so we prompt them to change it if they can, or reset it if the auth plugin can't change it. The UX for 'change' is better because they are still logged in, their password gets improved, and they keep going. I think most sites would want this option.

But 'reset' is more secure. If a password is in HIBP then its usually pretty old. If we know it's been compromised we should not trust it at all, so it would be better to force the user to reset their password via other means.

So I think $CFG->passwordpolicycheckonlogin should be swapped from a checkbox to a select with options which are still compatible with the current 0 / 1 values:

0) do nothing

1) Force password change, or reset if they can't change it

2) Force a password reset

Attachments

Issue Links

has a non-specific relationship to

MDL-67912 Check passwordpolicychangeonfail in security report

Open

has been marked as being related by

MDL-67309 Have options to call check_password_policy on every login

Closed

Activity

People

Assignee:: Unassigned

Reporter:: Brendan Heywood

Participants:: Brendan Heywood

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 23/Feb/20 8:09 PM

Updated:: 23/Feb/20 8:11 PM