On Apr 12, 6:47 am, Harish Tejwani <har...@wizni.com> wrote: > What would be the best module or app that can support > > a) User's Password expiring every 6 months, so they are forced to > change it
Although Django supports it, I would STRONGLY discourage you from implementing such a policy. Password expiration is well known in the security community as being a horrible idea that has somehow become popular. Refer to Bruce Schneier's writings on the subject if you want more information, but briefly, expiring passwords is based on the assumption that a bad guy has acquired an encrypted password and needs longer than the expiration period to crack the encryption. This assumption is nearly always false, especially with a 6-month expiration period. The other reason it's a horrible idea is that it forces people to pick bad passwords. Choosing a good password takes time, and suddenly presenting them with a requirement that they pick a new password makes that time unavailable. (FWIW, my current password is over six years old. My servers get attacked daily and have never been cracked.) > b) For new user's that get system generated passwords, and are forced > to change at FIRST login This is a much more sensible idea, but if you want your users to be safe, be sure they are notified of this requirement well before the first login, so that they can spend some time thinking about good passwords. -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
