As an admin / security officer, I want to force a user to change a password after a given time

Q1. What is the problem that you are trying to solve?
Coming from the world of KeePass like password managers I am used to having passwords expire, where my password manager will force me (the user) to change the password. This goes beyond what is requested in “As a logged in user I should know if a password is about to expire and should be changed
As security officer I want the password manager rather than any other application dictate whether passwords expire or not. On top of this I want to be able to expire passwords within a group when members of that group leave my organization

Q2 - Who is impacted?
Any security officer and user who puts his privacy before convenience (and therefore uses a password manager) as well as all users of applications that do not enforce password expiry.

Q3 - Why is it important and/or urgent?
This is a very comon way to enforce password hygene as well as a very logical and straightforward step to ensure confidentiality of my application stack. Assuming a group of users has access to all kinds of applicatiosn and 1 user leaves (group or org), the need for resetting passwords, or enforcing thereof, is a basic security requirement.

Q4 - What is your proposed solution? (optional)
Add an optional “Expires on” or “expires after n days” field, which will trigger a change password flow within PassBolt:
Password can be used to login the application the password belongs to, user then changes the password, changed password gets saved into PassBolt by the user. If the user does not change the password within an ‘x’ amount of time, the password gets removed from PassBolt.

Admin edit: added poll bellow.

Q5. Community support
People can vote for this idea to show traction:

  • :ok_woman: Must have: this is critical for me to have this
  • :raising_hand_woman: Should have: this is important for me to have this
  • :tipping_hand_woman: Could have: this could be nice to have
  • :no_good_woman: Won’t have: we should not schedule this (explain why)

0 voters

1 Like

@martijndevrieze I think this is a reasonable and good feature to have, except maybe for the “If the user does not change the password within an ‘x’ amount of time, the password gets removed from PassBolt.”. What about just nagging the user until they do it? Some systems do not have a “reset password” feature so straight up deleting data could be a problem.

Nagging indeed will do the trick as well. Although nagging can be ignored, which I have seen people do for long stretches of time. Indeed deleting a password might be too much of a risk.

IMHO password aging is bad practice and pushes users towards password re-use/rotation/plus-one-ing (PreviousPass111111, or TheDefaultPasswordITGaveMe+1).

Other people share this opinion:

1 Like

I think this could be irritating for many users. My understanding is that people use password managers for security and convenience. This is a major bump on the second.
I also don’t see how strong passwords become automatically less secure over time. You would have to assume bad practices where passwords are leaked in some way, but these should be rare incidents rather than the norm, else your security is in a bad spot either way. Assuming you passwords are unsecure after X days is probably an over-generalized guess and consequently (more often than not) a waste of your users time.
Furthermore, if all passwords of a group have to be changed (like in the example given in Q3) it should be the group manager’s responsibility to restore security and update all necessary passwords. Passbolt can automate none of that for you - the problem has to be detected and solved by manual labor - so I don’t see any real benefit here.

Changing passwords when a member leaves the group MUST NOT be directed by the password manager. It MUST be performed on the system with a password, and then reflected on the password manager, as part of the Leave Policy.