Force a password change

nextcloud / server

☁️ Nextcloud server, a safe home for all your data

https://nextcloud.com

GNU Affero General Public License v3.0

26.13k stars 3.94k forks source link

Force a password change #1262

Open MariusBluem opened 7 years ago

MariusBluem commented 7 years ago

We should offer an function to force password changes, in case of:

a user is logging in for his first time (#1255)
a security issue occurred, and the admin want to make a bulk password reset (#1261)
special outside policies like for example periodic password changes (#8785)

In general this should also be provided via API to make it possible to integrate tools outside of Nextcloud.

cc @LukasReschke @Liwindo @hitam4450

MorrisJobke commented 6 years ago

Maybe implemented as password expiry in the password_policy app?

Liwindo commented 6 years ago

Not sure if that's enough. For my case you need also an option to lock the login until the passwords are changed in combination with an approval-mail to prevent that a stranger reset the password.

kisimediaDE commented 6 years ago

Are there some planes when this feature will integrate?

MorrisJobke commented 6 years ago

Are there some planes when this feature will integrate?

Once somebody implements it, because as of now it's only a request without any roadmap plans yet.

MorrisJobke commented 6 years ago

special outside policies like for example periodic password changes (#8785)

In general this should also be provided via API to make it possible to integrate tools outside of Nextcloud.

I added those two for the request in #8785

KB7777 commented 6 years ago

Yes, API would be great :-)

Liwindo commented 6 years ago

What has to be done that the developers put it on their schedule?

tmaff commented 4 years ago

Hello, any updates here? :)

hex-m commented 4 years ago

Regarding the API and external tools that could change passwords I'd like to point to this discussion.

It seems to me like the "force reset password on next login"-feature is a different issue than the API.

pierreozoux commented 4 years ago

Currently, if you use vanilla Nextcloud (without any apps), it is really unsecure. When you create a user, you then have to send the password to this user, and the way people do it is via email. And as you know users, they never change their password.

You can of course mitigate that with the registration app, or any user backend, but for vanilla users, it is unsecure.

Nils160988 commented 4 years ago

You don't have to set a password. You can just create the account, people receive an email with a link and set their own password.