#5697 - Add admin tool for mass invalidating member passwords
-
By PDStig
- Added
- 1 view
| Identifier | #5697 |
|---|---|
| Issue type | Feature request or suggestion |
| Title | Add admin tool for mass invalidating member passwords |
| Status | Open |
| Tags |
Roadmap: Over the horizon (custom) Type: Security (custom) |
| Handling member | Deleted |
| Addon | core |
| Description | Add a user interface in the Admin Zone for easily mass-invalidating user passwords (e.g. requiring members to reset their passwords).
Here are some ideas for criteria: - Members who have not logged in for X days - Members whose user account is older than X days (good for date-specific data leaks and targeting members who may have been in that leak) - Members who have not changed their password in X days or longer - Members in certain groups - Members using a legacy password scheme - Members whose password was ratcheted with a value less than specified (ratchets can easily be determined from the hash) - Members under the age of X (good for if we aren't concerned as much about the security of adult members as we are children) - Members who have a non-blank or non-null value for specific custom fields (good for resetting passwords of members who, say, have a credit card number on file) - Anything else we can think of |
| Steps to reproduce | |
| Additional information | Such tool would be very useful for quick action by staff in the event of a data breach or security concern. |
| Funded? | No |
The system will post a comment when this issue is modified (e.g., status changes). To be notified of this, click "Enable comment notifications".
Comments
Composr already has password expiration as a separate config option.