We need to add a couple of password policies:
1) Password expiration
We need to be able to configure that passwords can expire and would a user login after a pre-configure number of months (default 12 months), then s/he must create a new password. If the option is 0 months, then policy does not apply.
2) Password rotation limit
We need to prevent users from re-using previous passwords. Default 3 generations. If the option is 0 months, then policy does not apply.
Note that this might not apply to integrations. Only for native LAMS users.
3) Prevent passwords that are commonly used or have been compromised.
Check that the user does not attempt to use the username, userid, names or email as password
Doesn’t use commonly used passwords (get a list for this)
Prevent compromised passwords.
Ernie, merged to 4.0. Please test.
To check password expiration you can modify password_change_date in lams_user.
If password rotation (history) is off, we still collect old passwords up to 50 per user. In case admin wants to turn this feature on later.
Password rotation is not checked when admin changes a password for user, only when user changes password for himself. It seems odd for admin to learn what passwords has an user used in the past. Let me know if we want admin to do this check too.
To easily check against password vs login, email etc. it is useful to turn off other password restrictions in sysadmin.
I had to recompile passpol library with Java 11 so we could use it in current LAMS version. It works OK.
Let me know if it all works and if you wording is OK. I will then add labels to Lokalise.
We are done here Marcino. Thanks