[horde] passwd and forced changes

[Ralf Lang]

On 03.01.2014 15:20, Simon B wrote:
>>> User forgets their password or account is compromised
>>> Admin/helpdesk reset password and notify the user of the temporary password.
>>> Admin/helpdesk uses the console to set the Force_Change flag for that
>>> email address/username
>>> User logs into Horde with the temporary credentials.  Because of the
>>> Force_Change flag user is unable to proceed to applications until the
>>> password change (using the passwd modiule) is done.
>>
>> I don't like the temporary password thing much but it would work.
>> But consider:
>> If we need to send something to the user, we can send him a one-time
>> ticket / link to the reset password screen. If we cannot reach the user,
>> we can use the "forgot password" question/answer.
> 
> I'm less concerned with people who've forgotten their password and can
> access the forgot password question/answer.
> 
> I'm more concerned with:
> - initial user login - i.e. we create a password (such as Password1234
> and want the user to change it immediately)

Case Understood. But this could easily be served with a dialog to let
the admin change the forgot password phrase.

> - account has been compromised and we've reset the password to
> safhl$#HXs to prevent further unauthorised access, but when we give
> the user this password we don't want them to just save it in the
> browser and proceed - we actually want them to change it.
In this case:
Don't give him the password. Set an invalid password hash or random
password and let the user go through "forgot password".

> - Sometimes people forget what the password hint is trying to tell
> them (I know I do).

Case Understood. But this could easily be served with a dialog to let
the admin change the forgot password phrase.

Anyway. I understand: The admin should be able to
lock users out until they reset password via list or typing the name
list users which have been locked out
send the user an authentication ticket (one time password) for the
forced password reset

-- 
Ralf Lang
Linux Consultant / Developer
Tel.: +49-170-6381563
Mail: lang at b1-systems.de
B1 Systems GmbH
Osterfeldstraße 7 / 85088 Vohburg / http://www.b1-systems.de
GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://lists.horde.org/archives/horde/attachments/20140103/57a2d8db/attachment.bin>