As an admin / security officer, I want to force a user to change a password after a given time


#1

Q1. What is the problem that you are trying to solve?
Coming from the world of KeePass like password managers I am used to having passwords expire, where my password manager will force me (the user) to change the password. This goes beyond what is requested in “As a logged in user I should know if a password is about to expire and should be changed
As security officer I want the password manager rather than any other application dictate whether passwords expire or not. On top of this I want to be able to expire passwords within a group when members of that group leave my organization

Q2 - Who is impacted?
Any security officer and user who puts his privacy before convenience (and therefore uses a password manager) as well as all users of applications that do not enforce password expiry.

Q3 - Why is it important and/or urgent?
This is a very comon way to enforce password hygene as well as a very logical and straightforward step to ensure confidentiality of my application stack. Assuming a group of users has access to all kinds of applicatiosn and 1 user leaves (group or org), the need for resetting passwords, or enforcing thereof, is a basic security requirement.

Q4 - What is your proposed solution? (optional)
Add an optional “Expires on” or “expires after n days” field, which will trigger a change password flow within PassBolt:
Password can be used to login the application the password belongs to, user then changes the password, changed password gets saved into PassBolt by the user. If the user does not change the password within an ‘x’ amount of time, the password gets removed from PassBolt.

Admin edit: added poll bellow.


#2

Q5. Community support
People can vote for this idea to show traction:

  • :ok_woman: Must have: this is critical for me to have this
  • :raising_hand_woman: Should have: this is important for me to have this
  • :tipping_hand_woman: Could have: this could be nice to have
  • :no_good_woman: Won’t have: we should not schedule this (explain why)

0 voters


#3

@martijndevrieze I think this is a reasonable and good feature to have, except maybe for the “If the user does not change the password within an ‘x’ amount of time, the password gets removed from PassBolt.”. What about just nagging the user until they do it? Some systems do not have a “reset password” feature so straight up deleting data could be a problem.


#4

Nagging indeed will do the trick as well. Although nagging can be ignored, which I have seen people do for long stretches of time. Indeed deleting a password might be too much of a risk.