Topic: User account expiration

[Daniel B.]

I just noticed that I never announced a contrib I've written, which handle (nicely IMHO) user account expiration. You can get installation instructions here: https://wiki.contribs.org/ExpireAccounts
This contribs lets you set an expiry date for user account, with some useful options (like automatically forward email to someone else on the day the account is locked, send an auto-response when the account expires, archive and delete the account after it has been locked etc...)

[Stefano]

Hi Dani, thank you for your contrib, really useful indeed

it's  pity that we have n panels to manage users and their properties.. password expiration, user expiration ecc..

thank you anyway, will try it asap

[CharlieBrady]

it's  pity that we have n panels to manage users and their properties.. password expiration, user expiration ecc..

There's lots of research showing that password expiration is a bad idea. The latest NIST recommendations discourage automatic password expiration:

https://forum.level1techs.com/t/goodbye-password-expiry-policies-nist-800-63-is-here/117019
https://www.crowehorwath.com/cybersecurity-watch/nist-password-expirations/
https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/

[Daniel B.]

I agree that password expirations are problematic. The default password strength rules in SME are too IMHO. We should accept long enough password even if there's no non-alphanumeric, or no case mix. Fastwords are better
Anyway, password policy is yet another topic, as this contrib just focus on accounts expiration.

[Stefano]

Password expiration is mandatory in some countries.. In Italy for sure

[CharlieBrady]

Password expiration is mandatory in some countries.. In Italy for sure

I predict that will change. Could take a while though...

[Stefano]

Unfortunately no, at least here
The password expiration contrib was created by me many years ago because I needed it
Italian privacy law says that password expiration is mandatory and gives strong rules
It won't change, for sure.
In any case, I feel that force people to use strong passwords and change them often is a good thing

[Daniel B.]

The problem is that using strong passwords goes against changing them often. It's just not possible for a normal human to remember strong, and each time different passwords. The result is that passwords end written somewhere near the screen or the keyboard.

[Stefano]

Maybe
It might sound absurd, but it's not a problem of mine, here
Once I setup my systems to follow our laws, I'm OK and have no responsability