How to force password change in every xx days?

Worker Joined: Aug 02, 2004 Posts: 165

Is there any hack/module available which forces user to change password?

Feature request:

Password change should be able to be forced at one of the following ways:
1) by time range: every xx days (e.g. every 90 days)
2) by admin "manual command" which forces password change to all users in his/her (user) next logon.
3) by admin "manual command" which generates unique passwords for all users immediately.

New password should be follow $ya_config['pass_min'] and "$strs =..." parameters (in functions.php).

Posted: Sat Nov 26, 2011 4:11 pm

I'm sure it can be done and I know your reasons for asking.
On the down side, if I was a member of a website and they kept forcing me to change my password, I think I would get pretty hissed off with it if it was too frequently.

Even so, I think this is a good idea if used correctly.

Posted: Sat Nov 26, 2011 7:28 pm

As a user tracking passwords for the large number of sites that I visit is already a giant P.I.T.A. Any site that required me to change my password frequently would get deleted from my bookmarks and from my visiting list really quickly.

Changing passwords frequently does nothing to provide security anyway. Requiring somewhat complex passwords that aren't dictionary words and don't match the username or email adds a bit to security and is worth doing.

Posted: Sun Nov 27, 2011 10:46 am

Its just a big lie to say its for better security.
The truth is that often sites which uses such a password script have been hacked in the past and all data have been stolen. They don´t talk about their issues in public but as registered user you should be very careful with such sites when they suddenly use such password scripts. Just my opinion.
A lot of known sites did not use such a method even though they have been hacked and this issue was published.

Maybe you can find something for phpBB but you should think about to use such a hack or not.

registered · Posted: Sun Nov 27, 2011 3:57 pm

To no-one in particular, just a general comment regarding regular password changes. If changing ones password on a frequent basis weren't an important security consideration, my company of over 100,000 employees wouldn't need to have a policy which forces us to change our passwords every 90 days. Yes, there are other policies just as important, of which one was mentioned here already, which is strong passwords.

I think it really depends upon the site whether a 90-day policy is useful vs. not. For 99% of the *nuke sites, I agree, completely unnecessary. However, if supporting business use is of interest, then this would be a valuable enhancement.

All JMO.

Posted: Sun Nov 27, 2011 4:50 pm

Personally I think the easiest way to 'enhance' password security is to stop allowing users to create their own password and us a randomly generated one instead.
The main drawback with MD5 is that it has a relatively finite number of possibilities given it always has 32 bits, if you can call 340,282,366,920,938,463,463,374,607,431,768,211,456 a finite number.
We know rainbow tables exist but they are nowhere near complete (despite some claims I have seen on some sites). The only weakness, if you can call it that, is that often used passwords like "password" are clearly going to be at the top of any list.

Even if you could brute-force a server which had no built in protection to prevent DDOS type attacks and your target software also had no protection AND you could send each attack in one 'byte' of data, look at that number again and tell me how many Terrabytes of bandwidth you would need.

I agree with M though, for business systems, a forced password change can be beneficial, provided it is implemented and maintained correctly. I have used such systems before but then cry with laughter after finding you only need to change one character to have the new password accepted and then at the next enforced password change, you can revert to your previous password.
One well known IT company (who I obviously cannot name) does a huge amount of work for some very sensitive branches of UK Government and they keep a copy of accounts and password in use on a Excel file on an unprotected networked machine.
So security is really a very subjective thing.
Any way, that's me out of the conversation. I much prefer physical security as that's my specialist area.