xoops forums

sarahmx

Quite a regular
Posted on: 12/13 16:47
sarahmx
sarahmx (Show more)
Quite a regular
Posts: 378
Since: 2007/10/28
#1

xoops Password rules and password expiry

Hi

I have one intranet site built with xoops for a friend long time ago and used it in a company with 400 over staff...

Currently the intranet used latest xoops 2.5.9 and been working great with some custom modules developed by a former employee

Recently the company enforced a new password rules for all custom application installed in the server to have the following rules

a. Password changed at least every 6 month
b. Password use at least 3 of the following types of characters: (a) uppercase letters, (b) lowercase letters, (c) numbers, and/or (d) special characters.
c. Password must be unique and cannot be re-used.

Can someone tell me on how to make this in xoops...is there any quick hack possible?

And how to reset all user password?

Mamba

Moderator
Posted on: 12/14 5:20
Mamba
Mamba (Show more)
Moderator
Posts: 10779
Since: 2004/4/23
#2

Re: xoops Password rules and password expiry

I don't think that there would be an easy hack for it.

a) to keep track of the 6-months interval, you would have to record the date for each user. Maybe you could add an extra field in the Profile and make visible only to the admin. Then you would have hack the core to check at login when user changed that login last time and force him/her to change it.
Or you could add a field to Profile for a reset, and then run a cron every six months to reset all users to yes, and thus force the user to change the password.

b) you could set the check in your new hack as a field validation

c) while checking for the reset, if it is on, you could then save the current password and compare it to the new one, to make sure that they don't match

Another way that might be easier, would be to run a cron job that would use the "lostpass.php" to fake for each user a request for a new password, sending them a new password and forcing them to use it, and to change to whatever they want.

Richard is the guru in this area, so maybe he could come up with better...
Support XOOPS => DONATE
Use 2.5.10 | Docs | Modules | Bugs

sarahmx

Quite a regular
Posted on: 12/14 9:18
sarahmx
sarahmx (Show more)
Quite a regular
Posts: 378
Since: 2007/10/28
#3

Re: xoops Password rules and password expiry

Thank you for the answer Mamba

Im not sure if i can do this myself ..thinking of creating a custom module just to make this work using jquery validation or something else

Any other pointers will be great

geekwright

Quite a regular
Posted on: 12/16 17:26
geekwright
geekwright (Show more)
Quite a regular
Posts: 270
Since: 2010/10/15
#4

Re: xoops Password rules and password expiry

XOOPS could really use some modern password policy management tools.

My first impulse was to suggest expanding the profile module, but on closer inspection, using existing events and adding a few new ones would allow us to support a module(s) dedicated just to enhanced password policy. Unfortunately, that solution isn't available to deploy today

I will make sure that we have all the events needed to support such a module in place very soon.

Meanwhile, the fastest "hack" I can think of would be to tap into an existing Active Directory, using it as the authentication option for your XOOPS system. I don't know it that would be possible or practical for your environment.

As to resetting all passwords, you could update the "pass" column on the users table with some garbage string for all the users you want to reset. Each user would then have to go through the lost password mechanism to set a new password.

sarahmx

Quite a regular
Posted on: 12/19 1:39
sarahmx
sarahmx (Show more)
Quite a regular
Posts: 378
Since: 2007/10/28
#5

Re: xoops Password rules and password expiry

Thank you geekwright

Will try the temporary..active directory solution

Btw is there any up to date active directory connection documentation with xoops 2.5.9

I just made some random check of the password used by users of the intranet ...most of it using their username (which we set as employee number) as their password

Xoops or any upcoming password module should also prevent this password cant be the same as username

Mamba

Moderator
Posted on: 12/30 5:33
Mamba
Mamba (Show more)
Moderator
Posts: 10779
Since: 2004/4/23
#6

Re: xoops Password rules and password expiry

You might also take a look at the tad_login module that is using the OpenID:
https://github.com/tad0616/tad_login

Maybe you'll find some ideas there...
Support XOOPS => DONATE
Use 2.5.10 | Docs | Modules | Bugs