Page MenuHomePhabricator

Implement password age password policy check
Closed, ResolvedPublic

Description

Good practice would be to change your password semi-frequently

It would be useful to have some form of password age enforcement; at X days users are reminded to change their password, and at Y days, they are forced to change it

Going to need a database change for this to work, whether a user column addition or similar

It's going to be almost impossible to back populate the "last changed" timestamp, but it can be done at first login after said check was enabled, and then just updated on reset/change as appropriate

https://en.wikipedia.org/wiki/Password_policy#Password_duration

Event Timeline

Reedy created this task.Dec 11 2015, 12:16 AM
Reedy raised the priority of this task from to Normal.
Reedy updated the task description. (Show Details)
Reedy added a project: MediaWiki-General.
Reedy added subscribers: Reedy, csteipp.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 11 2015, 12:16 AM
Reedy updated the task description. (Show Details)Dec 11 2015, 12:39 AM

Good practice would be to change your password semi-frequently

Sure when it comes to the user doing it. However, I believe its generally considered to reduce security when that sort of thing is enforced from upon high.

Reedy added a comment.Dec 11 2015, 1:11 AM

Good practice would be to change your password semi-frequently

Sure when it comes to the user doing it. However, I believe its generally considered to reduce security when that sort of thing is enforced from upon high.

I didn't say we had to enable it on WMF wikis ;)

Though, in combination with other policies, it can have a net improvement

Reedy lowered the priority of this task from Normal to Lowest.Oct 31 2016, 3:57 PM

I guess the other way is having a way to force it, if people want, and just a way to remind people...

Bawolff closed this task as Resolved.Sep 4 2018, 4:48 PM
Bawolff claimed this task.

Umm, isn't this just $wgPasswordExpirationDays ?

sbassett moved this task from Backlog to Done on the Security-Team board.Jun 11 2019, 7:10 PM