Modify

Opened 11 years ago

Closed 9 years ago

Last modified 6 years ago

#1427 closed enhancement (fixed)

require password change upon login with auto-generated password sent via unsecure e-mail

Reported by: Phil Mocek <pmocek-trac-hacks@…> Owned by: Matt Good
Priority: normal Component: AccountManagerPlugin
Severity: normal Keywords: password reset e-mail insecure
Cc: Trac Release: 0.11

Description

If a password is reset and sent though e-mail (these messages are currently sent in-the-clear) a user should be required to change his password immediately after logging in with the new, temporary password that was sent to him.

Attachments (1)

force_password_change_on_password_resets.patch (9.6 KB) - added by Pedro Algarvio, aka, s0undt3ch 9 years ago.

Download all attachments as: .zip

Change History (6)

comment:1 Changed 10 years ago by rupert thurner

see also #843 for email validation, captcha, ..

comment:2 Changed 9 years ago by Pedro Algarvio, aka, s0undt3ch

I've implemented this for trac 0.11, ie, the trunk version of this plugin.

You can download a patch from here and the admin config panel changes from here.

Basically if the option to force the users to change passwords after a password reset is enabled, the user will always be sent to /prefs/account after login to change his password with a nice warning message.

Changed 9 years ago by Pedro Algarvio, aka, s0undt3ch

comment:3 Changed 9 years ago by John Hampton

Resolution: fixed
Status: newclosed

(In [3731]) Added forcing password change after reset. Patch by s0undt3ch. Minor change such that the message indicating password reset needed isn't shown after a successful password reset. Fixes #1427

comment:4 Changed 9 years ago by John Hampton

Trac Release: 0.100.11

FYI, this is a 0.11 only feature. Also, it is on by default and can be turned off in the account manager admin page.

comment:5 Changed 6 years ago by Steffen Hoffmann

Because of #816 this feature has been rewritten lately.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Matt Good.
The resolution will be deleted.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.