Author Topic: Password plugin - force users to change password / password strength?  (Read 8661 times)

Offline maxie_ro

  • Jr. Member
  • **
  • Posts: 16
Hi.

Is there any hack (or any plan to change the plugin) to force users to change passwords?

Also, the same to enforce a certain password strength (like not using parts of username, a minimum length, a certain types of characters (alpha+digits+other marks) etc?

Maybe also to not allow login to POP3/IMAP/SMTP before password is changed and a custom message if user tries to login with an email client?

Thanks!

Offline SKaero

  • Administrator
  • Hero Member
  • *****
  • Posts: 5,876
    • SKaero - Custom Roundcube development
Password plugin - force users to change password / password strength?
« Reply #1 on: October 12, 2009, 04:52:39 AM »
Enforce a password strength wouldn't be that hard you just have to add JavaScript to the form to check if there password met all of the requirements. Not allow users to login to another email client before they change there password would be server-side and couldn't be done with RoundCube.

Offline maxie_ro

  • Jr. Member
  • **
  • Posts: 16
Password plugin - force users to change password / password strength?
« Reply #2 on: October 12, 2009, 06:15:34 AM »
I see that there is something similar in the latest SVN trunk (btw, this is how I found out 'password' is not a third-party plugin, is in core :p). But it only accepts minimum size for password and the presence/absence of other chars than alphanumeric.

This should be expanded as I said above:
- test for alpha parts of username bigger than 3 not to be included in password (if username is "user.name.xx.2009", test for "user" and "name")
- minimum number of digits
- minimum number of another non-alphanumeric characters

Also, it would be nice to test for presence of certain white spaces ("\n", "\r", "\t") and warn/disallow to change in that case. Very useful if a user notes down in a file a password, and copy-pastes it with line-endings/spaces. Then, when writing it down by hand in the password box, he/she can't login and doesn't know why (it happened...)
« Last Edit: October 12, 2009, 06:16:59 AM by maxie_ro »