Ticket #1427 (closed enhancement: fixed)

Opened 2 years ago

Last modified 6 months ago

require password change upon login with auto-generated password sent via unsecure e-mail

Reported by: Phil Mocek <pmocek-trac-hacks@mocek.org> Assigned to: mgood
Priority: normal Component: AccountManagerPlugin
Severity: normal Keywords: password reset e-mail insecure
Cc: Trac Release: 0.11

Description

If a password is reset and sent though e-mail (these messages are currently sent in-the-clear) a user should be required to change his password immediately after logging in with the new, temporary password that was sent to him.

Attachments

force_password_change_on_password_resets.patch (9.6 kB) - added by s0undt3ch on 05/26/08 18:04:06.

Change History

08/19/07 04:57:57 changed by ThurnerRupert

see also #843 for email validation, captcha, ..

05/23/08 06:13:06 changed by s0undt3ch

I've implemented this for trac 0.11, ie, the trunk version of this plugin.

You can download a patch from here and the admin config panel changes from here.

Basically if the option to force the users to change passwords after a password reset is enabled, the user will always be sent to /prefs/account after login to change his password with a nice warning message.

05/26/08 18:04:06 changed by s0undt3ch

  • attachment force_password_change_on_password_resets.patch added.

05/28/08 01:03:00 changed by pacopablo

  • status changed from new to closed.
  • resolution set to fixed.

(In [3731]) Added forcing password change after reset. Patch by s0undt3ch. Minor change such that the message indicating password reset needed isn't shown after a successful password reset. Fixes #1427

05/28/08 01:04:50 changed by pacopablo

  • release changed from 0.10 to 0.11.

FYI, this is a 0.11 only feature. Also, it is on by default and can be turned off in the account manager admin page.

Add/Change #1427 (require password change upon login with auto-generated password sent via unsecure e-mail)




Change Properties
Action