Add User Password Expiration Functionality

[cwpnolen]

When building solutions on WordPress for medium to large sized businesses, having the ability to require users to change there password over a specific period of time is a very useful and in some cases required piece of functionality.

Proposed Functionality

• Give administrators the ability to globally enable password expiration
• When globally set, allow administrators to set the expiration interval (in days) for all or selected user roles
• Give administrators the ability to request a single user to change their password the next time they login
• Users with expired passwords need to change their password in order to proceed to the admin
• Do not allow users to use the same password twice

Use Cases

• Security policies for organizations
• Manually adding of users with temporary passwords
• Automatically require password change if site has been compromised

[johnbillion]

Thanks for the ticket, @cwpnolen!

Periodically changing passwords is seen as a security anti-pattern these days (see below) so this functionality would probably be contentious. Many of the most popular WordPress security plugins provide this as an optional feature.

I'll close this ticket as wontfix as it's firmly in plugin territory.

---

The NCSC now recommend organisations do not force regular password expiry. We believe this reduces the vulnerabilities associated with regularly expiring passwords (described above) while doing little to increase the risk of long-term password exploitation.

Ref: ​https://www.ncsc.gov.uk/blog-post/problems-forcing-regular-password-expiry

Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically).

Ref: ​https://pages.nist.gov/800-63-3/sp800-63b.html

[cwpnolen]

I appreciate the information John. Thank you.