#2304 - Greater password reset flexibility

Identifier #2304
Issue type Feature request or suggestion
Title Greater password reset flexibility
Status Completed
Tags

Roadmap: v11 (custom)

Type: Security (custom)

Handling member Chris Graham
Addon core_cns
Description Different sites want different complexities. We range from a situation of a non-important site that is accessed by people on fiddly smartphones who don't even know how to use computers properly, to a very high-security enterprise extranet.

Implement 3 config options, replacing current password reset options:
- List, New password comes from (*): randomly generated and shown in 1st e-mail [**], user [after link clicked from 1st e-mail], randomly generated and shown after link clicked from 1st e-mail, randomly generated and sent in 2nd e-mail
- Checkbox, Ultra reset security, The 1st e-mail actually doesn't include a link, it just includes a raw reset code/password, with an obfuscated from name. The user has to know what it is to use it.
- Checkbox, New password assigned is temporary only and must be changed when logging in (only applies if "user" wasn't selected for "new password comes from")
- Integer, How long reset codes last for in minutes
- Checkbox, Reset codes are numeric (numeric is easier to type, especially on a smartphone - but less secure for brute force cracking)

* In increasing order of security
** In this case the password reset code also works as a login password. When you log in using it, the system recognises this situation, and copies it to your password, making the password reset code null again.
Steps to reproduce

Related to

#1684 - Security Questions for password resets

#3024 - Lost-password form privacy (and assorted discussed ideas)
Funded? No
The system will post a comment when this issue is modified (e.g., status changes). To be notified of this, click "Enable comment notifications".

Rating

Unrated