Opened 7 years ago

Closed 6 years ago

Last modified 3 years ago

#1427 closed enhancement (fixed)

require password change upon login with auto-generated password sent via unsecure e-mail

Reported by: Phil Mocek <pmocek-trac-hacks@…> Owned by: mgood
Priority: normal Component: AccountManagerPlugin
Severity: normal Keywords: password reset e-mail insecure
Cc: Trac Release: 0.11


If a password is reset and sent though e-mail (these messages are currently sent in-the-clear) a user should be required to change his password immediately after logging in with the new, temporary password that was sent to him.

Attachments (1)

force_password_change_on_password_resets.patch (9.6 KB) - added by s0undt3ch 6 years ago.

Download all attachments as: .zip

Change History (6)

comment:1 Changed 7 years ago by ThurnerRupert

see also #843 for email validation, captcha, ..

comment:2 Changed 6 years ago by s0undt3ch

I've implemented this for trac 0.11, ie, the trunk version of this plugin.

You can download a patch from here and the admin config panel changes from here.

Basically if the option to force the users to change passwords after a password reset is enabled, the user will always be sent to /prefs/account after login to change his password with a nice warning message.

Changed 6 years ago by s0undt3ch

comment:3 Changed 6 years ago by pacopablo

  • Resolution set to fixed
  • Status changed from new to closed

(In [3731])
Added forcing password change after reset. Patch by s0undt3ch. Minor change such that the message indicating password reset needed isn't shown after a successful password reset. Fixes #1427

comment:4 Changed 6 years ago by pacopablo

  • Trac Release changed from 0.10 to 0.11

FYI, this is a 0.11 only feature. Also, it is on by default and can be turned off in the account manager admin page.

comment:5 Changed 3 years ago by hasienda

Because of #816 this feature has been rewritten lately.

Add Comment

Modify Ticket

as closed .
as The resolution will be set. Next status will be 'closed'.
to The owner will be changed from mgood. Next status will be 'closed'.
The resolution will be deleted. Next status will be 'reopened'.

E-mail address and user name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.