Last modified: 2014-03-01 12:43:19 UTC
In the event that the site owner needs the users to change their password for some reason, it would be nice for MediaWiki to have the concept of password expiration. Typically, I've seen this implemented that a date attribute can be stored on the User, and then a configurable number of days before or after that date, the user gets a "soft" password reset on login-- they are asked to change their password, but they are still logged in and can skip the process for now. After the "soft" phase, the user gets a "hard" reset, and cannot login without changing their password. After the user resets their password, we could probably have a flag to automatically set the next expiration date, for users that need to comply with password-reset schedules. The WMF currently has a hack in place on their sites to do a "hard" reset for a set of users, so having this feature in core would decrease our tech-debt, as well as providing a better product for other users of MediaWiki.
Oh, and as Daniel mentioned on https://bugzilla.wikimedia.org/show_bug.cgi?id=28419#c82, we should add a way to for a custom message when we trigger big resets.
(In reply to comment #0) > the user gets a "hard" reset, and cannot login without > changing their password. maybe add "to a new, different password", or even "to a password that has never been used for this account".
Change 92037 had a related patch set uploaded by CSteipp: Password Expiration (WIP) https://gerrit.wikimedia.org/r/92037
Change 92037 merged by jenkins-bot: Password Expiration https://gerrit.wikimedia.org/r/92037
Status Merged
