#1427 closed enhancement (fixed)
require password change upon login with auto-generated password sent via unsecure e-mail
Reported by: | Owned by: | Matt Good | |
---|---|---|---|
Priority: | normal | Component: | AccountManagerPlugin |
Severity: | normal | Keywords: | password reset e-mail insecure |
Cc: | Trac Release: | 0.11 |
Description
If a password is reset and sent though e-mail (these messages are currently sent in-the-clear) a user should be required to change his password immediately after logging in with the new, temporary password that was sent to him.
Attachments (1)
Change History (6)
comment:1 Changed 17 years ago by
comment:2 Changed 17 years ago by
I've implemented this for trac 0.11, ie, the trunk version of this plugin.
You can download a patch from here and the admin config panel changes from here.
Basically if the option to force the users to change passwords after a password reset is enabled, the user will always be sent to /prefs/account
after login to change his password with a nice warning message.
Changed 17 years ago by
Attachment: | force_password_change_on_password_resets.patch added |
---|
comment:3 Changed 16 years ago by
Resolution: | → fixed |
---|---|
Status: | new → closed |
comment:4 Changed 16 years ago by
Trac Release: | 0.10 → 0.11 |
---|
FYI, this is a 0.11 only feature. Also, it is on by default and can be turned off in the account manager admin page.
see also #843 for email validation, captcha, ..