WordPress.org

Make WordPress Core

Opened 9 days ago

Closed 8 days ago

Last modified 8 days ago

#46496 closed enhancement (wontfix)

Add User Password Expiration Functionality

Reported by: cwpnolen Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Security Keywords:
Focuses: Cc:

Description

When building solutions on WordPress for medium to large sized businesses, having the ability to require users to change there password over a specific period of time is a very useful and in some cases required piece of functionality.

Proposed Functionality

  • Give administrators the ability to globally enable password expiration
  • When globally set, allow administrators to set the expiration interval (in days) for all or selected user roles
  • Give administrators the ability to request a single user to change their password the next time they login
  • Users with expired passwords need to change their password in order to proceed to the admin
  • Do not allow users to use the same password twice

Use Cases

  • Security policies for organizations
  • Manually adding of users with temporary passwords
  • Automatically require password change if site has been compromised

Change History (2)

#1 @johnbillion
8 days ago

  • Component changed from Users to Security
  • Focuses administration removed
  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from new to closed

Thanks for the ticket, @cwpnolen!

Periodically changing passwords is seen as a security anti-pattern these days (see below) so this functionality would probably be contentious. Many of the most popular WordPress security plugins provide this as an optional feature.

I'll close this ticket as wontfix as it's firmly in plugin territory.


The NCSC now recommend organisations do not force regular password expiry. We believe this reduces the vulnerabilities associated with regularly expiring passwords (described above) while doing little to increase the risk of long-term password exploitation.

Ref: https://www.ncsc.gov.uk/blog-post/problems-forcing-regular-password-expiry

Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically).

Ref: https://pages.nist.gov/800-63-3/sp800-63b.html

#2 @cwpnolen
8 days ago

I appreciate the information John. Thank you.

Note: See TracTickets for help on using tickets.