Opened 17 years ago

Closed 16 years ago

Last modified 13 years ago

#1427 closed enhancement (fixed)

require password change upon login with auto-generated password sent via unsecure e-mail

Reported by: Phil Mocek <pmocek-trac-hacks@…> Owned by: Matt Good
Priority: normal Component: AccountManagerPlugin
Severity: normal Keywords: password reset e-mail insecure
Cc: Trac Release: 0.11


If a password is reset and sent though e-mail (these messages are currently sent in-the-clear) a user should be required to change his password immediately after logging in with the new, temporary password that was sent to him.

Attachments (1)

force_password_change_on_password_resets.patch (9.6 KB) - added by Pedro Algarvio, aka, s0undt3ch 16 years ago.

Download all attachments as: .zip

Change History (6)

comment:1 Changed 17 years ago by rupert thurner

see also #843 for email validation, captcha, ..

comment:2 Changed 16 years ago by Pedro Algarvio, aka, s0undt3ch

I've implemented this for trac 0.11, ie, the trunk version of this plugin.

You can download a patch from here and the admin config panel changes from here.

Basically if the option to force the users to change passwords after a password reset is enabled, the user will always be sent to /prefs/account after login to change his password with a nice warning message.

Changed 16 years ago by Pedro Algarvio, aka, s0undt3ch

comment:3 Changed 16 years ago by John Hampton

Resolution: fixed
Status: newclosed

(In [3731]) Added forcing password change after reset. Patch by s0undt3ch. Minor change such that the message indicating password reset needed isn't shown after a successful password reset. Fixes #1427

comment:4 Changed 16 years ago by John Hampton

Trac Release: 0.100.11

FYI, this is a 0.11 only feature. Also, it is on by default and can be turned off in the account manager admin page.

comment:5 Changed 13 years ago by Steffen Hoffmann

Because of #816 this feature has been rewritten lately.

Modify Ticket

Change Properties
Set your email in Preferences
as closed The owner will remain Matt Good.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment

E-mail address and name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.