New password policies: password expiration, password rotation limit and prevent commonly used or compromised passwords


We need to add a couple of password policies:

1) Password expiration

We need to be able to configure that passwords can expire and would a user login after a pre-configure number of months (default 12 months), then s/he must create a new password. If the option is 0 months, then policy does not apply.

2) Password rotation limit

We need to prevent users from re-using previous passwords. Default 3 generations. If the option is 0 months, then policy does not apply.

Note that this might not apply to integrations. Only for native LAMS users.




Ernie Ghiglione
February 15, 2021, 12:51 PM

3) Prevent passwords that are commonly used or have been compromised.

  • Check that the user does not attempt to use the username, userid, names or email as password

  • Doesn’t use commonly used passwords (get a list for this)

  • Prevent compromised passwords.

Marcin Cieślak
February 16, 2021, 1:06 PM

Ernie, merged to 4.0. Please test.

To check password expiration you can modify password_change_date in lams_user.

If password rotation (history) is off, we still collect old passwords up to 50 per user. In case admin wants to turn this feature on later.
Password rotation is not checked when admin changes a password for user, only when user changes password for himself. It seems odd for admin to learn what passwords has an user used in the past. Let me know if we want admin to do this check too.

To easily check against password vs login, email etc. it is useful to turn off other password restrictions in sysadmin.

I had to recompile passpol library with Java 11 so we could use it in current LAMS version. It works OK.

Let me know if it all works and if you wording is OK. I will then add labels to Lokalise.

Ernie Ghiglione
February 17, 2021, 1:28 AM

We are done here Marcino. Thanks


Ernie Ghiglione


Ernie Ghiglione




Fix versions

Affects versions