Success

User tests: Successful: Unsuccessful:

avatar mbabker
mbabker
17 Feb 2014

Overview

IMPORTANT: Please see Joomla! Tracker item 33296

In the core CMS, currently there is no check to see if a user is reusing their current password when resetting it (either voluntarily or via the remind/reset feature), which allows users to use the same password repeatedly. This pull request implements a check into the save methods to check for password reuse and disallows it. Note that no option is included to disable this check; if this PR is accepted, without hacking the core code or bypassing its use, users will be required to use different passwords when they are changed.

This check utilizes the current hashing API, JUserHelper::verifyPassword() to perform this check by comparing the new clear text password against the existing hashed password (which is the same logic used in the login system).

Test instructions

To test this feature, you will need to apply the patch. Once applied, login to the admin section and attempt to change your password in either the User Manager or by editing your profile using the shortcut in the top menu by using your current password; the save operation should fail with a message detailing why. Now using a different password, attempt to save again; the operation should succeed. Now make another change without changing the password; the operation should succeed.

Now log into the front end and edit the user profile. Again, attempt to change your password and reuse the existing password; the save should fail with a message explaining why. Now use a different password and the save should succeed. Lastly, make another change to the profile without changing the password; the operation should succeed.

Project management information

Backwards compatibility

Within the API, there is no B/C break with this patch.

Developer information

N/A; no API changes are made with this patch.

Language changes

This PR adds language strings to convey the added check in updating the user profile.

avatar mbabker mbabker - open - 17 Feb 2014
avatar beat
beat - comment - 17 Feb 2014

As just commented on the forge tracker:

IMHO, this feature should only kick-in when it is the site admin that asks to change the password.

Appart of that, as a user, I find it personally a nerving feature (and as site-admin an innefficient feature), as having a single (head-computed) complex password per site is the best way avoid password abuse on other sites. Additionally, it is quickly worked around, as you just change your password twice if you want to re-use the old one.

If the goal is to avoid the password that has been used previously with weak hash and after a site breach, then the password to compare to should be to compare to the old weak-hashed password (EDIT: in NON-weak-hashed form).

If the goal is to provide banking level security, then comparing with the 4 last-used passwords + all the ones that have been weakly-stored-and-exploited would be better. But that's not the main market of Joomla.

Thus, to follow the 90%-of-users-need-it rule, my feeling is that such kind of features should not be implemented in the core, but as a separate plugin.

avatar infograf768
infograf768 - comment - 17 Feb 2014

I suggest, if the feature is implemented, to always use the
JLIB_USER_ERROR_CANNOT_REUSE_PASSWORD

and not create a specific COM_USERS_ERROR_CANNOT_REUSE_PASSWORD

avatar mbabker
mbabker - comment - 26 Mar 2014

I'm going to integrate this into #3128 as requested on JoomlaCode in that item (forcing a user to reset password still lets them use the current password).

avatar mbabker mbabker - change - 26 Mar 2014
Status New Closed
Closed_Date 0000-00-00 00:00:00 2014-03-26 21:25:51
avatar mbabker mbabker - close - 26 Mar 2014
avatar mbabker mbabker - close - 26 Mar 2014
avatar mbabker mbabker - head_ref_deleted - 26 Mar 2014

Add a Comment

Login with GitHub to post a comment