Opened 10 years ago

Closed 9 years ago

Last modified 6 years ago

#1427 closed enhancement (fixed)

require password change upon login with auto-generated password sent via unsecure e-mail

Reported by: Phil Mocek <pmocek-trac-hacks@…> Owned by: Matt Good
Priority: normal Component: AccountManagerPlugin
Severity: normal Keywords: password reset e-mail insecure
Cc: Trac Release: 0.11


If a password is reset and sent though e-mail (these messages are currently sent in-the-clear) a user should be required to change his password immediately after logging in with the new, temporary password that was sent to him.

Attachments (1)

force_password_change_on_password_resets.patch (9.6 KB) - added by Pedro Algarvio, aka, s0undt3ch 9 years ago.

Download all attachments as: .zip

Change History (6)

comment:1 Changed 10 years ago by rupert thurner

see also #843 for email validation, captcha, ..

comment:2 Changed 9 years ago by Pedro Algarvio, aka, s0undt3ch

I've implemented this for trac 0.11, ie, the trunk version of this plugin.

You can download a patch from here and the admin config panel changes from here.

Basically if the option to force the users to change passwords after a password reset is enabled, the user will always be sent to /prefs/account after login to change his password with a nice warning message.

Changed 9 years ago by Pedro Algarvio, aka, s0undt3ch

comment:3 Changed 9 years ago by John Hampton

Resolution: fixed
Status: newclosed

(In [3731]) Added forcing password change after reset. Patch by s0undt3ch. Minor change such that the message indicating password reset needed isn't shown after a successful password reset. Fixes #1427

comment:4 Changed 9 years ago by John Hampton

Trac Release: 0.100.11

FYI, this is a 0.11 only feature. Also, it is on by default and can be turned off in the account manager admin page.

comment:5 Changed 6 years ago by Steffen Hoffmann

Because of #816 this feature has been rewritten lately.

Modify Ticket

as closed The owner will remain Matt Good.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment

E-mail address and name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.