Re: Password Auto-reset and Expiry Policy (every X Months)
On Apr 12, 6:47 am, Harish Tejwani wrote: > What would be the best module or app that can support > > a) User's Password expiring every 6 months, so they are forced to > change it Although Django supports it, I would STRONGLY discourage you from implementing such a policy. Password expiration is well known in the security community as being a horrible idea that has somehow become popular. Refer to Bruce Schneier's writings on the subject if you want more information, but briefly, expiring passwords is based on the assumption that a bad guy has acquired an encrypted password and needs longer than the expiration period to crack the encryption. This assumption is nearly always false, especially with a 6-month expiration period. The other reason it's a horrible idea is that it forces people to pick bad passwords. Choosing a good password takes time, and suddenly presenting them with a requirement that they pick a new password makes that time unavailable. (FWIW, my current password is over six years old. My servers get attacked daily and have never been cracked.) > b) For new user's that get system generated passwords, and are forced > to change at FIRST login This is a much more sensible idea, but if you want your users to be safe, be sure they are notified of this requirement well before the first login, so that they can spend some time thinking about good passwords. -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
Re: Password Auto-reset and Expiry Policy (every X Months)
Django's auth module will do just fine. You can store other information, such as 'date_password_modified' in a model (UserProfile perhaps) which has a one-to-one correspondence with User. Then you need to override the login view to check the validity of the password based on this field. Now to determine the first login, you can add a first_login boolean field to this model as well and use it for checking. -- Gladys http://blog.bixly.com On Apr 12, 2:47 am, Harish Tejwani wrote: > What would be the best module or app that can support > > a) User's Password expiring every 6 months, so they are forced to > change it > > b) For new user's that get system generated passwords, and are forced > to change at FIRST login > > Any ideas/suggestions would help how to go about implementing this > > Following are currently installed APPS > > INSTALLED_APPS = ( > 'django.contrib.auth', > 'django.contrib.contenttypes', > 'django.contrib.sessions', > 'django.contrib.sites', > 'django.contrib.messages', > 'django.contrib.staticfiles', > # Uncomment the next line to enable the admin: > 'django.contrib.admin', > # Uncomment the next line to enable admin documentation: > 'django.contrib.admindocs', > 'django.contrib.staticfiles', > ) -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
Password Auto-reset and Expiry Policy (every X Months)
What would be the best module or app that can support a) User's Password expiring every 6 months, so they are forced to change it b) For new user's that get system generated passwords, and are forced to change at FIRST login Any ideas/suggestions would help how to go about implementing this Following are currently installed APPS INSTALLED_APPS = ( 'django.contrib.auth', 'django.contrib.contenttypes', 'django.contrib.sessions', 'django.contrib.sites', 'django.contrib.messages', 'django.contrib.staticfiles', # Uncomment the next line to enable the admin: 'django.contrib.admin', # Uncomment the next line to enable admin documentation: 'django.contrib.admindocs', 'django.contrib.staticfiles', ) -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.