User tests: Successful: Unsuccessful:
IMPORTANT: Please see Joomla! Tracker item 33296
In the core CMS, currently there is no check to see if a user is reusing their current password when resetting it (either voluntarily or via the remind/reset feature), which allows users to use the same password repeatedly. This pull request implements a check into the save methods to check for password reuse and disallows it. Note that no option is included to disable this check; if this PR is accepted, without hacking the core code or bypassing its use, users will be required to use different passwords when they are changed.
This check utilizes the current hashing API, JUserHelper::verifyPassword()
to perform this check by comparing the new clear text password against the existing hashed password (which is the same logic used in the login system).
To test this feature, you will need to apply the patch. Once applied, login to the admin section and attempt to change your password in either the User Manager or by editing your profile using the shortcut in the top menu by using your current password; the save operation should fail with a message detailing why. Now using a different password, attempt to save again; the operation should succeed. Now make another change without changing the password; the operation should succeed.
Now log into the front end and edit the user profile. Again, attempt to change your password and reuse the existing password; the save should fail with a message explaining why. Now use a different password and the save should succeed. Lastly, make another change to the profile without changing the password; the operation should succeed.
Within the API, there is no B/C break with this patch.
N/A; no API changes are made with this patch.
This PR adds language strings to convey the added check in updating the user profile.
I suggest, if the feature is implemented, to always use the
JLIB_USER_ERROR_CANNOT_REUSE_PASSWORD
and not create a specific COM_USERS_ERROR_CANNOT_REUSE_PASSWORD
Status | New | ⇒ | Closed |
Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2014-03-26 21:25:51 |
As just commented on the forge tracker:
IMHO, this feature should only kick-in when it is the site admin that asks to change the password.
Appart of that, as a user, I find it personally a nerving feature (and as site-admin an innefficient feature), as having a single (head-computed) complex password per site is the best way avoid password abuse on other sites. Additionally, it is quickly worked around, as you just change your password twice if you want to re-use the old one.
If the goal is to avoid the password that has been used previously with weak hash and after a site breach, then the password to compare to should be to compare to the old weak-hashed password (EDIT: in NON-weak-hashed form).
If the goal is to provide banking level security, then comparing with the 4 last-used passwords + all the ones that have been weakly-stored-and-exploited would be better. But that's not the main market of Joomla.
Thus, to follow the 90%-of-users-need-it rule, my feeling is that such kind of features should not be implemented in the core, but as a separate plugin.