Oops, about your spec: "When the password expires, the system MUST NOT accept it for logging in. However, the system MUST accept the old password as validation when entering the new password."
Not the right way. Should be : "When the password expires, the system MUST accept it for logging in BUT only to display a page 'Password expired, please choose new one+form to set it'. " 1) the system MUST NOT keep the passwords in clear text (standard, but as you wrote it keeps an history of the password and it's an history of hash, better clarify ) 2) The expiry date should be accessible from the template (eg when you fetch user, so you can add a warning+link to the change password page On 03/12/2007, Gunnstein Lye <[EMAIL PROTECTED]> wrote: > Hello all! > > I have attached a little specification of some new password handling features: > - password validation constraints > - password expiration > > I'd like to know if some or all of this has allready been implemented, and if > the author is willing to share? > > best regards, > -- > Gunnstein Lye > Systems engineer > [EMAIL PROTECTED] | eZ Systems | http://ez.no > > -- > Sdk-public mailing list > [email protected] > http://lists.ez.no/mailman/listinfo/sdk-public > > > -- Sdk-public mailing list [email protected] http://lists.ez.no/mailman/listinfo/sdk-public
