View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0005697 | Composr | core | public | 2024-04-14 18:42 | 2024-07-24 21:04 |
| Reporter | Patrick Schmalstig | Assigned To | |||
| Severity | Feature-request | ||||
| Status | non-assigned | Resolution | open | ||
| Product Version | |||||
| Fixed in Version | |||||
| Summary | 0005697: Add admin tool for mass invalidating member passwords | ||||
| Description | Add a user interface in the Admin Zone for easily mass-invalidating user passwords (e.g. requiring members to reset their passwords). Here are some ideas for criteria: - Members who have not logged in for X days - Members whose user account is older than X days (good for date-specific data leaks and targeting members who may have been in that leak) - Members who have not changed their password in X days or longer - Members in certain groups - Members using a legacy password scheme - Members whose password was ratcheted with a value less than specified (ratchets can easily be determined from the hash) - Members under the age of X (good for if we aren't concerned as much about the security of adult members as we are children) - Members who have a non-blank or non-null value for specific custom fields (good for resetting passwords of members who, say, have a credit card number on file) - Anything else we can think of | ||||
| Additional Information | Such tool would be very useful for quick action by staff in the event of a data breach or security concern. | ||||
| Tags | Roadmap: Over the horizon, Type: Security | ||||
| Time estimation (hours) | |||||
| Sponsorship open | |||||
|
|
"Members who have not changed their password in X days or longer" - maybe, but most people hate this. https://pages.nist.gov/800-63-FAQ/#q-b05 |
|
|
The point of this tool is to invalidate passwords in the event of a breach. So that criterium is not actually for password expiration but rather manually invalidating passwords which have not been changed in a long while (in the event of a breach) as they are more likely to exist in brute-force rainbow tables. Composr already has password expiration as a separate config option. |
|
|
Ah, right. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2024-04-14 18:42 | Patrick Schmalstig | New Issue | |
| 2024-04-14 18:42 | Patrick Schmalstig | Tag Attached: Roadmap: Over the horizon | |
| 2024-07-23 14:58 | Chris Graham | Tag Attached: Type: Security | |
| 2024-07-23 15:00 | Chris Graham | Note Added: 0008889 | |
| 2024-07-23 16:32 | Patrick Schmalstig | Note Added: 0008893 | |
| 2024-07-23 16:33 | Patrick Schmalstig | Note Edited: 0008893 | View Revisions |
| 2024-07-24 21:04 | Chris Graham | Note Added: 0008905 |
