MyBB Community Forums

MyBB Community Forums > Development > Suggestions and Feedback > Password reset and expiration
Full Version: Password reset and expiration
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2

WallBB

2017-12-13, 12:29 PM
Hi Team,
I have a suggestion regarding password reset in MyBB 1.10 series.
There are cases when you want password of your forum to expire after 3 months or even better to give administrator to force users to change password before logging into MyBB forum.
I feel this should be a core feature where admin can either force all users of forum to change password or password expire after X days or Y months etc.


Regards
WallBB

Ikerepc

2017-12-13, 12:51 PM
Yeah... This could be useful for users security but is pointless for example if you have 2 posts on forum and have nothing to lose but forum is forcing you to change it, also, some peoples really rarely change password. Even I have some services on which I haven't changed it for few years...

So, this could be useful but in my opinion not something really necessary for most of forums... But I don't know for sure Big Grin

sarisisop

2017-12-13, 02:03 PM
Not something I would want. Being forced to change my password would annoy me enough to make me leave a forum.

I also get the occasional member often getting problems remembering their password as it is, so if it is put in core it must have an Off Switch for me.

laie_techie

2017-12-13, 09:41 PM
I find the idea useful enough to consider for core, but make it optional and configurable. Force password change would be handy after a data breach or when upgrading hashing / encryption method.

darkhorus

2017-12-13, 10:29 PM
I don't know about being forced to change your password every couple months. While definitely great for security, it would only serve to annoy your users imho.

Now on the other hand, like laie_techie has said, a single option to force a password change on all users at once would be very great to have, for the reasons mentioned.

Elf_Ears

2017-12-13, 10:42 PM
I agree that this should be added. Doing it every few months would be a pain but a mass force reset after a data breach would be very useful.

I'd also reccomend adding an option to only target a few (or only one) users as account hijacks and other assorted nastiness can happen and it's just an all around good moderation tool to have.

kawaii

2017-12-13, 10:46 PM
I would certainly agree with the administrator being able to force a global password reset. However forcing users to change their password every few weeks has actually proven to cause people to create and use less and less secure passwords due to them getting tired of changing it all the time.

Azah

2017-12-14, 03:16 AM
Agreed, it mostly serves to provide an illusion of security, and often times, someone might just change the number on the end of the password. Promoting 2FA (even with a desktop authenticator), encouraging use of password managers, etc. would go a lot further for protecting accounts.

Some even say that a desktop authenticator is more secure than a mobile one, as mobile network systems and support staff are surprisingly easy to trick, apparently. I've read some articles where carriers can be unbelievably moronic about security like only allowing short numeric passwords for allowing people to manage their accounts with no rate-limit.

WallBB

2017-12-14, 03:38 AM
(2017-12-13, 10:46 PM)kawaii Wrote: [ -> ]I would certainly agree with the administrator being able to force a global password reset. However forcing users to change their password every few weeks has actually proven to cause people to create and use less and less secure passwords due to them getting tired of changing it all the time.
That's why an option where admin can configure it to X days, months or even year will be a great option/

(2017-12-14, 03:16 AM)Azah Wrote: [ -> ]Agreed, it mostly serves to provide an illusion of security, and often times, someone might just change the number on the end of the password. Promoting 2FA (even with a desktop authenticator), encouraging use of password managers, etc. would go a lot further for protecting accounts.

Some even say that a desktop authenticator is more secure than a mobile one, as mobile network systems and support staff are surprisingly easy to trick, apparently. I've read some articles where carriers can be unbelievably moronic about security like only allowing short numeric passwords for allowing people to manage their accounts with no rate-limit.
Yes, the integration of authenticator will be a very good option for sure.

And thanks all for your reviews, I believe it is a great addition as core which can be optional for administrator to use or not Smile

s3_gunzel

2017-12-14, 03:58 AM
(2017-12-13, 09:41 PM)laie_techie Wrote: [ -> ]I find the idea useful enough to consider for core, but make it optional and configurable.

This. I don't think it should be a static time, or enabled by default.
Pages: 1 2
MyBB Community Forums > Development > Suggestions and Feedback > Password reset and expiration