[dev] Password expiry

[Jeroen Huinink]

"Eric Rostetter" <eric.rostetter at physics.utexas.edu> wrote on the sork list:
> Quoting Jeroen Huinink <j.huinink at wanadoo.nl>:
>
> > Why do you feel it's a hornet's nest?
>
> When I looked at your problem, I found lots of similar bugs in various
> backends.  It turned out to not be too hard to fix.  But you sure did
> uncover some serious problems with the code base.


Ah, I see that now. :-) I tested it (the passwd module with expect backend)
and it seems to work.

> > Now that we're talking: are there any plans on putting support for
password
> > expiration and expiration reminders into horde/sork?
>
> Probably not into sork.  This might maybe make more sense for some
backends
> (like sql) but for the most part this should be handled by the actual
program
> (poppassd, etc).  So it might be something we could put into different
> backends, but not do en mass.
>
> The exception would be if we wanted to put this support into the api, and
> then be able to use it e.g. in the summary page or in the accounts module
> summary page.  I'll consider that, or any feedback on that idea.  But my
> guess is that this would be rather expensive (time wise) and not something
> we want to do at every login or page display.

The problem that I see is that if you use a system with password expiry you
never get a warning about this when using horde. Password expiry might not
be an issue if you are an ISP and are only using horde in combination with
imp to give your customers a webmail interface. We however are a business
and feel that sensitive information is available in our e-mail, tasks, notes
and calendar (not to mention gollem or chora) and we want to enforce a
stricter password policy.

The way we set it up is to use IMAP authentication. This simply fails when
your password is expired so you cannot log into horde to change your
password, we would like to give our users a warning when they log on and
require them to change their password if they are within a day of expiry.

I really like the password strength tests in sork, but if you want to
enforce a strict password policy, you would also like to store old passwords
so the user cannot simply alternate between two or three passwords. (On the
IBM AS/400 that we use, something like 30 old passwords are stored...). I
have some ideas on how to implement this. Opinions?

What I did now is create a php shell script that we will be running as a
cron job that sends an e-mail warning when a password is about to expire.
I'll see if I can generalize this and share this with the list if there is
interest.

> This might be something that could go into Horde, but then you want to
> post this to a different mailing list for comments.
This is it.

Regards,
Jeroen