Feature request: update password handling
Reported by dleffler | July 17th, 2015 @ 08:28 PM | in 2.3.5 (closed)
Since we've left php v5.2.x support, it would be a good time to consider moving to a newer method to 'hash' passwords. Some considerations:
- implementing a new password 'hash' would invalidate all
existing passwords (immediately) so we'd need to allow the
super-admin to change their password during the upgrade and then
possibly (automatically) send an email to ALL users with the link
to reset their password?
- should we also implement a new feature to force the user to change a password every xx days?
- implement the php function crypt which also allows adding a 'salt' value
- implement a drop-in or configurable method for setting passwords (min number of chars, min pattern such as upper/lower/numeric/symbol)...we provide a 'password strength meter' on the bootstrap3 views which better helps the user select a stronger password
Comments and changes to this ticket
-
expNinja August 2nd, 2015 @ 12:08 AM
- State changed from “new” to “resolved”
- Assigned user set to “dleffler”
- Milestone set to “2.3.5”
(from [431ebfc4f8146ba45aac471304f734762a075cec]) Enhance password security by allow admin selected password strength settings (min length, min # of Caps, min # of digits, min # of symbols) and moving to an optional more secure password hashing method (blowfish instead of md5) [#1304 state:resolved milestone:2.3.5 responsible:dleffler] https://github.com/exponentcms/exponent-cms/commit/431ebfc4f8146ba4...
Please Sign in or create a free account to add a new ticket.
With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.
Create new ticket
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป
Bug Tracker for Exponent CMS
expNinja