Open NightJar opened 5 years ago
I guess you could check the strength of the password against the current rules when a user successfully logs in, then redirect them to change password instead of the default login destination
Sounds good, if there is a change to the compliance criteria—we could show a notification for them to update their password. We can keep on showing the notification until they actually reset it, don't know if we need to go to the enforce route?
As per @sminnee's comment
We currently do not force a reset (to my knowledge). The flow could be evaluated on submission of the password before hashing, setting a flag to update iff (if and only if) that should lead to a successful logging-in.
I worry that this may appear to a semi-savvy user that the password is not stored securely ("how would they know what my password is to say that?"), so I think there would be some communication with whatever method this is communicated through to the user.
@clarkepaul @newleeland may be interested in this flow.