#1427 closed enhancement (fixed)
require password change upon login with auto-generated password sent via unsecure e-mail
| Reported by: | Phil Mocek <pmocek-trac-hacks@…> | Owned by: | mgood |
|---|---|---|---|
| Priority: | normal | Component: | AccountManagerPlugin |
| Severity: | normal | Keywords: | password reset e-mail insecure |
| Cc: | Trac Release: | 0.11 |
Description
If a password is reset and sent though e-mail (these messages are currently sent in-the-clear) a user should be required to change his password immediately after logging in with the new, temporary password that was sent to him.
Attachments (1)
Change History (6)
comment:1 Changed 6 years ago by ThurnerRupert
comment:2 Changed 5 years ago by s0undt3ch
I've implemented this for trac 0.11, ie, the trunk version of this plugin.
You can download a patch from here and the admin config panel changes from here.
Basically if the option to force the users to change passwords after a password reset is enabled, the user will always be sent to /prefs/account after login to change his password with a nice warning message.
Changed 5 years ago by s0undt3ch
comment:3 Changed 5 years ago by pacopablo
- Resolution set to fixed
- Status changed from new to closed
comment:4 Changed 5 years ago by pacopablo
- Trac Release changed from 0.10 to 0.11
FYI, this is a 0.11 only feature. Also, it is on by default and can be turned off in the account manager admin page.
comment:5 Changed 2 years ago by hasienda
Because of #816 this feature has been rewritten lately.
see also #843 for email validation, captcha, ..