Modify ↓
#1427 closed enhancement (fixed)
require password change upon login with auto-generated password sent via unsecure e-mail
| Reported by: | Owned by: | Matt Good | |
|---|---|---|---|
| Priority: | normal | Component: | AccountManagerPlugin |
| Severity: | normal | Keywords: | password reset e-mail insecure |
| Cc: | Trac Release: | 0.11 |
Description
If a password is reset and sent though e-mail (these messages are currently sent in-the-clear) a user should be required to change his password immediately after logging in with the new, temporary password that was sent to him.
Attachments (1)
Change History (6)
comment:1 Changed 17 years ago by
comment:2 Changed 16 years ago by
I've implemented this for trac 0.11, ie, the trunk version of this plugin.
You can download a patch from here and the admin config panel changes from here.
Basically if the option to force the users to change passwords after a password reset is enabled, the user will always be sent to /prefs/account after login to change his password with a nice warning message.
Changed 16 years ago by
| Attachment: | force_password_change_on_password_resets.patch added |
|---|
comment:3 Changed 16 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
comment:4 Changed 16 years ago by
| Trac Release: | 0.10 → 0.11 |
|---|
FYI, this is a 0.11 only feature. Also, it is on by default and can be turned off in the account manager admin page.
Note: See
TracTickets for help on using
tickets.
see also #843 for email validation, captcha, ..