Ability to force password expiration
As more large organizations deploy WordPress, internal security policy requires a force password expire every 30 days. While there may be a plug-in or two that are attempting to solve this problem, I haven't found one that actually works well. For sites that have hundreds of users, the ability to force a password change immediately or after 30, 60, 90, or 120 days is imperative. It will also help with WordPress security. Please consider this as a very important component of a future WordPress release.
I agree. Why hasn't this functionality been put in the core? The only plugin I could find that did this was free until I upgraded and now they want $25 for every site I use it on. That is just shady! I guess I'm stuck writing my own plugin.
Yeah, this guy Dylan writes the password expire plugin and he just upgraded it so that you can have it free for personal and paid for business. I understand it you need it for multiple sites. These guys do have to make a living, so I understand it. The cost should be passed onto the client, if you're a consultant.
This lack of ability to force password expiration is going to become a roadblock for companies / organizations that would like to leverage WordPress.
I agree with Jeff, it really should be a standard feature.
There are plugins that do this, like Login Security Solution.
However, I think the general consensus in the security community these days is that forcing users to create new passwords actually makes systems less secure, due to the unintended consequences. Most users will just write their passwords down or choose something easy to remember rather going to the hassle of remembering new strong passwords every 30 days.
Not if they're prevented from a) choosing the passwords they previously used on that site when setting a new password (this could possibly be achieved by storing a password history for each user?) and b) from creating weak passwords.
And this should be in core WP because it's a fundamental part of WP security, which the devs should be encouraging/promoting, rather than leaving it up to the community to sort out. If it's left to plugin authors, then how do we know it's been coded properly? How do we know it hasn't got a security flaw? This is why the devs working on WP core should be including this feature.
I agree that more security should be part of Core, but I don't think the core devs so. Login Security Solution was written by a recognized security expert (Daniel Convissor), so in my opinion it's very trustworthy.
You can force the user to enter a strong password, but you can't force them to avoid writing it down on a sticky note taped to their monitor.
RSS feed for this topic
You must log in to post.