5697: Add admin tool for mass invalidating member passwords - Composr CMS feature tracker

ID	Project	Category	View Status	Date Submitted	Last Update

5697	Composr	core	public	2024-04-14 18:42	2024-07-24 21:04

Reporter	PDStig	Assigned To	Guest
Priority	normal	Severity	feature
Status	new	Resolution	open

Summary	5697: Add admin tool for mass invalidating member passwords
Description	Add a user interface in the Admin Zone for easily mass-invalidating user passwords (e.g. requiring members to reset their passwords). Here are some ideas for criteria: - Members who have not logged in for X days - Members whose user account is older than X days (good for date-specific data leaks and targeting members who may have been in that leak) - Members who have not changed their password in X days or longer - Members in certain groups - Members using a legacy password scheme - Members whose password was ratcheted with a value less than specified (ratchets can easily be determined from the hash) - Members under the age of X (good for if we aren't concerned as much about the security of adult members as we are children) - Members who have a non-blank or non-null value for specific custom fields (good for resetting passwords of members who, say, have a credit card number on file) - Anything else we can think of
Additional Information	Such tool would be very useful for quick action by staff in the event of a data breach or security concern.
Tags	Roadmap: Over the horizon, Type: Security
Attach Tags	(Separate by ",")

Time estimation (hours)
Sponsorship open

Date Added	Member	Amount Sponsored

Chris Graham 2024-07-23 15:00 administrator ~8889	"Members who have not changed their password in X days or longer" - maybe, but most people hate this. https://pages.nist.gov/800-63-FAQ/#q-b05

PDStig 2024-07-23 16:32 administrator ~8893 Last edited: 2024-07-23 16:33	The point of this tool is to invalidate passwords in the event of a breach. So that criterium is not actually for password expiration but rather manually invalidating passwords which have not been changed in a long while (in the event of a breach) as they are more likely to exist in brute-force rainbow tables. Composr already has password expiration as a separate config option.

Chris Graham 2024-07-24 21:04 administrator ~8905	Ah, right.

View Status	Private (for security issues or disclosing of private information; if you submit as a guest, you will not be able to see your submission)
Note
Upload Files Maximum size: 32,768 KiB	Attach files by dragging & dropping, selecting or pasting them.
You are not logged in	You are not logged in. This means you will not get any e-mail notifications. And if you reply, we will not know for sure you are the original poster of the issue.

Date Modified	Username	Field	Change
2024-04-14 18:42	PDStig	New Issue
2024-04-14 18:42	PDStig	Tag Attached: Roadmap: Over the horizon
2024-07-23 14:58	Chris Graham	Tag Attached: Type: Security
2024-07-23 15:00	Chris Graham	Note Added: 0008889
2024-07-23 16:32	PDStig	Note Added: 0008893
2024-07-23 16:33	PDStig	Note Edited: 0008893
2024-07-24 21:04	Chris Graham	Note Added: 0008905