Notify users without outdated phpass passwords that they need to reset their password

Created on 4 April 2023, about 1 year ago

Problem/Motivation

Spin off from πŸ“Œ Notify users that they need to reset their password when it matches an unsupported hash type Active which is itself a spin-off from πŸ“Œ Replace custom password hashing library with PHP password_hash() Fixed .

Eventually, we will move core's custom phpass password hashing logic out of core.

Some sites will then have users that haven't logged in for months or years, who need to reset their passwords.

It would be feasible to detect the old phpass hash, and give those users an additional hint that they should definitely reset their passwords. However, this potentially allows enumeration that there are old hashes in the database, so we might also not want to do that.

Postponed on πŸ“Œ Notify users that they need to reset their password when it matches an unsupported hash type Active because we should definitely do the admin-facing message first.

Steps to reproduce

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

✨ Feature request
Status

Postponed

Version

10.1 ✨

Component
User moduleΒ  β†’

Last updated 2 days ago

Created by

πŸ‡¬πŸ‡§United Kingdom catch

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Production build 0.69.0 2024