[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Proposal for 1.3: Password expiration

Chris Travers wrote:
Hi all;

Aince I am now in the process of testing the user/role management
stuff for 1.3, I was thinking a sensible password expiration interface
would be a good thing to add.

Here is what I am thinking:

In System/defaults, we can add a value for the number of days a
password is valid for.

For the last week, a popup occurs once per day reminding one of the
need to change one's password.
In the last day, a popup occurs once per hour.

The rest can be easily pushed into our user management procedures
(already working).

What do people think?

As long as it's optional...

I have always held the view that expiring passwords are less secure than non-expiring ones and lead to increased password recovery maintenance issues. An expiring password has more risk of being forgotten, and hence has a greater chance that the user would need to write it down, or change it according to a predictable sequence.

When did you last change the pin code on your credit card?