08-21-2017, 09:45 PM
I implemented this when I added in a password strength check. From the admin page you can force all users to reset their password, which takes effect on next page load mid-session. This is useful for db breaches or changes to your strength logic. From admin_user.php you can set a single person to the same effect, and creating a new user through the admin page also uses this.
I also have a check that looks at anyone who doesn't pass the strength check and requires a new password on their next login (this only affects users with accounts made prior to password strength enforcement and that also have weak passwords).
Lastly I added in the ability to auto-force a reset every x months, depending on the value you set in admin.php, and remembers the last x passwords so you cannot reuse them (also set in admin.php).
Each reset type has a code in the users db table (1= everyone, 2= weak password, 3= expired, 4= single user) that the forgot password form uses to give the correct text to the user.
I'd share the code with you but I've had to heavily modify US to work with our existing site and even have a custom Permissions class, so it'd be faster to write it from scratch than extract what I have and convert it back to traditional US code. I'm more than happy to help with the planning though.
I am currently using the PHP zxcvbn-php library for password strength, in case anyone is curious, with an Ajax call to test the strength and return a result before submitting the form. This lets me use a colorful meter so people know their weak password is red and BAD! I tried the jQuery library first but the word dictionaries are different and it allows much weaker passwords to pass when they shouldn't.
I also have a check that looks at anyone who doesn't pass the strength check and requires a new password on their next login (this only affects users with accounts made prior to password strength enforcement and that also have weak passwords).
Lastly I added in the ability to auto-force a reset every x months, depending on the value you set in admin.php, and remembers the last x passwords so you cannot reuse them (also set in admin.php).
Each reset type has a code in the users db table (1= everyone, 2= weak password, 3= expired, 4= single user) that the forgot password form uses to give the correct text to the user.
I'd share the code with you but I've had to heavily modify US to work with our existing site and even have a custom Permissions class, so it'd be faster to write it from scratch than extract what I have and convert it back to traditional US code. I'm more than happy to help with the planning though.
I am currently using the PHP zxcvbn-php library for password strength, in case anyone is curious, with an Ajax call to test the strength and return a result before submitting the form. This lets me use a colorful meter so people know their weak password is red and BAD! I tried the jQuery library first but the word dictionaries are different and it allows much weaker passwords to pass when they shouldn't.