Modify

Opened 8 years ago

Closed 7 years ago

Last modified 4 years ago

#1427 closed enhancement (fixed)

require password change upon login with auto-generated password sent via unsecure e-mail

Reported by: Phil Mocek <pmocek-trac-hacks@…> Owned by: mgood
Priority: normal Component: AccountManagerPlugin
Severity: normal Keywords: password reset e-mail insecure
Cc: Trac Release: 0.11

Description

If a password is reset and sent though e-mail (these messages are currently sent in-the-clear) a user should be required to change his password immediately after logging in with the new, temporary password that was sent to him.

Attachments (1)

force_password_change_on_password_resets.patch (9.6 KB) - added by s0undt3ch 7 years ago.

Download all attachments as: .zip

Change History (6)

comment:1 Changed 7 years ago by ThurnerRupert

see also #843 for email validation, captcha, ..

comment:2 Changed 7 years ago by s0undt3ch

I've implemented this for trac 0.11, ie, the trunk version of this plugin.

You can download a patch from here and the admin config panel changes from here.

Basically if the option to force the users to change passwords after a password reset is enabled, the user will always be sent to /prefs/account after login to change his password with a nice warning message.

Changed 7 years ago by s0undt3ch

comment:3 Changed 7 years ago by pacopablo

  • Resolution set to fixed
  • Status changed from new to closed

(In [3731]) Added forcing password change after reset. Patch by s0undt3ch. Minor change such that the message indicating password reset needed isn't shown after a successful password reset. Fixes #1427

comment:4 Changed 7 years ago by pacopablo

  • Trac Release changed from 0.10 to 0.11

FYI, this is a 0.11 only feature. Also, it is on by default and can be turned off in the account manager admin page.

comment:5 Changed 4 years ago by hasienda

Because of #816 this feature has been rewritten lately.

Add Comment

Modify Ticket

Action
as closed The owner will remain mgood.
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.