mayacopeland
commented
3 years ago For number 2, a quick google search returned passwordMustChange and things similar.
For number 1, there's not really any way we can do this securely I think.
e: after the talks in the discord I believe we should maybe overhaul usertools and 'modernize' it into a webapp, which allows for admins to manage users and whatnot, and allow users to manage their account and reset their information etc.
Once #7 lands, when a password is reset:
We should at least fix 2, that is to say, force users to pick a new password as soon as they connect with the password we sent to them for reset purposes.
Ideally we should also make it that accounts with an open password reset are further secured if they are not updated within 24h or such, so that passwords sitting in peoples inboxes aren't valid in perpetuity.
This may be helpful to explore the options available: https://wiki.tardis.ed.ac.uk/wiki/Browse_LDAP