Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Password expiration #8785

Closed
KB7777 opened this issue Mar 12, 2018 · 7 comments
Closed

Password expiration #8785

KB7777 opened this issue Mar 12, 2018 · 7 comments
Labels
0. Needs triage Pending check for reproducibility or if it fits our roadmap enhancement feature: users and groups

Comments

@KB7777
Copy link
Contributor

KB7777 commented Mar 12, 2018

Hello.

It would be nice to have possibility to set local users password expiration after x days.
Usage -- if user wouldn't change password after 30 days the account is locked until the user change his password (AD like).

Need it to pass Security Department requirements.

Regards.

@rullzer
Copy link
Member

rullzer commented Mar 12, 2018

If you want something like this I suggest you setup LDAP where you already can configure a policy like that.

Having said that. Password expiration is a bad idea. Even the NIST agrees on that. If you want people to use strong passwords having them change it periodically is a bad idea.

@KB7777
Copy link
Contributor Author

KB7777 commented Mar 13, 2018

Yes, I know about NIST suggestions, but at enterprise and financial organizations it take more time to be up-to-date :) Many more time even :)

We have two instances with LDAP setup for our workers, but now there is a need for externals accounts for our business financial clients and they accounts must be out of our AD's.

@MorrisJobke MorrisJobke added enhancement 0. Needs triage Pending check for reproducibility or if it fits our roadmap feature: users and groups labels Mar 13, 2018
@MorrisJobke
Copy link
Member

@karlitschek @blizzz What is your opinion on stuff like this? IMO this is quite a complex feature pretty soon and should be tackled with tools outside of Nextcloud.

@MorrisJobke MorrisJobke changed the title [PR REQ] password expiration Password expiration Mar 13, 2018
@MorrisJobke
Copy link
Member

May be also related to the forced password change: #1262

@MorrisJobke
Copy link
Member

May be also related to the forced password change: #1262

In combination with an API for the forced password change this could be done completely from the outside and doesn't require to have the logic of when it should happen inside Nextcloud itself, which makes a lot of sense to me.

@rullzer
Copy link
Member

rullzer commented Mar 13, 2018

Yes please. Because else we have to implement this deep in our code base. And we are bound to miss something. I'd rather we are NIST compliant. And all other policies should be handled somewhere else.

@MorrisJobke
Copy link
Member

I added it to that ticket and will close this one here in favor of #1262

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
0. Needs triage Pending check for reproducibility or if it fits our roadmap enhancement feature: users and groups
Projects
None yet
Development

No branches or pull requests

3 participants