Page MenuHomePhabricator

Add Password Expiration functionality
Closed, ResolvedPublic

Description

In the event that the site owner needs the users to change their password for some reason, it would be nice for MediaWiki to have the concept of password expiration.

Typically, I've seen this implemented that a date attribute can be stored on the User, and then a configurable number of days before or after that date, the user gets a "soft" password reset on login-- they are asked to change their password, but they are still logged in and can skip the process for now. After the "soft" phase, the user gets a "hard" reset, and cannot login without changing their password.

After the user resets their password, we could probably have a flag to automatically set the next expiration date, for users that need to comply with password-reset schedules.

The WMF currently has a hack in place on their sites to do a "hard" reset for a set of users, so having this feature in core would decrease our tech-debt, as well as providing a better product for other users of MediaWiki.


Version: 1.22.0
Severity: enhancement

Details

Reference
bz54997

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 22 2014, 2:13 AM
bzimport set Reference to bz54997.

Oh, and as Daniel mentioned on https://bugzilla.wikimedia.org/show_bug.cgi?id=28419#c82, we should add a way to for a custom message when we trigger big resets.

(In reply to comment #0)

the user gets a "hard" reset, and cannot login without
changing their password.

maybe add "to a new, different password", or even "to a password that has never been used for this account".

Change 92037 had a related patch set uploaded by CSteipp:
Password Expiration (WIP)

https://gerrit.wikimedia.org/r/92037

Change 92037 merged by jenkins-bot:
Password Expiration

https://gerrit.wikimedia.org/r/92037