Koozali.org: home of the SME Server

Obsolete Releases => SME 9.x Contribs => Topic started by: Daniel B. on July 31, 2017, 03:51:13 PM

Title: User account expiration
Post by: Daniel B. on July 31, 2017, 03:51:13 PM

I just noticed that I never announced a contrib I've written, which handle (nicely IMHO) user account expiration. You can get installation instructions here: https://wiki.contribs.org/ExpireAccounts
This contribs lets you set an expiry date for user account, with some useful options (like automatically forward email to someone else on the day the account is locked, send an auto-response when the account expires, archive and delete the account after it has been locked etc...)

Title: Re: User account expiration
Post by: Stefano on July 31, 2017, 04:10:56 PM

Hi Dani, thank you for your contrib, really useful indeed

it's  pity that we have n panels to manage users and their properties.. password expiration, user expiration ecc..

thank you anyway, will try it asap

Title: Re: User account expiration
Post by: CharlieBrady on August 01, 2017, 05:44:09 PM

Quote from: Stefano on July 31, 2017, 04:10:56 PM

it's  pity that we have n panels to manage users and their properties.. password expiration, user expiration ecc..

There's lots of research showing that password expiration is a bad idea. The latest NIST recommendations discourage automatic password expiration:

https://forum.level1techs.com/t/goodbye-password-expiry-policies-nist-800-63-is-here/117019
https://www.crowehorwath.com/cybersecurity-watch/nist-password-expirations/
https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/

Title: Re: User account expiration
Post by: Daniel B. on August 01, 2017, 05:50:44 PM

I agree that password expirations are problematic. The default password strength rules in SME are too IMHO. We should accept long enough password even if there's no non-alphanumeric, or no case mix. Fastwords are better ;-)
Anyway, password policy is yet another topic, as this contrib just focus on accounts expiration.

Title: Re: User account expiration
Post by: Stefano on August 01, 2017, 05:54:37 PM

Password expiration is mandatory in some countries.. In Italy for sure

Title: Re: User account expiration
Post by: CharlieBrady on August 01, 2017, 09:16:50 PM

Quote from: Stefano on August 01, 2017, 05:54:37 PM

Password expiration is mandatory in some countries.. In Italy for sure

I predict that will change. Could take a while though...

Title: Re: User account expiration
Post by: Stefano on August 01, 2017, 10:28:14 PM

Unfortunately no, at least here
The password expiration contrib was created by me many years ago because I needed it
Italian privacy law says that password expiration is mandatory and gives strong rules
It won't change, for sure.
In any case, I feel that force people to use strong passwords and change them often is a good thing

Title: Re: User account expiration
Post by: Daniel B. on August 01, 2017, 10:33:19 PM

The problem is that using strong passwords goes against changing them often. It's just not possible for a normal human to remember strong, and each time different passwords. The result is that passwords end written somewhere near the screen or the keyboard.

Title: Re: User account expiration
Post by: Stefano on August 01, 2017, 10:37:15 PM

Maybe
It might sound absurd, but it's not a problem of mine, here
Once I setup my systems to follow our laws, I'm OK and have no responsability