[wp-trac] [WordPress Trac] #46496: Add User Password Expiration Functionality
WordPress Trac
noreply at wordpress.org
Fri Mar 15 10:12:56 UTC 2019
#46496: Add User Password Expiration Functionality
-------------------------+----------------------
Reporter: cwpnolen | Owner: (none)
Type: enhancement | Status: closed
Priority: normal | Milestone:
Component: Security | Version:
Severity: normal | Resolution: wontfix
Keywords: | Focuses:
-------------------------+----------------------
Changes (by johnbillion):
* status: new => closed
* resolution: => wontfix
* focuses: administration =>
* component: Users => Security
* milestone: Awaiting Review =>
Comment:
Thanks for the ticket, @cwpnolen!
Periodically changing passwords is seen as a security anti-pattern these
days (see below) so this functionality would probably be contentious. Many
of the most popular WordPress security plugins provide this as an optional
feature.
I'll close this ticket as wontfix as it's firmly in plugin territory.
----
> The NCSC now recommend organisations do not force regular password
expiry. We believe this reduces the vulnerabilities associated with
regularly expiring passwords (described above) while doing little to
increase the risk of long-term password exploitation.
Ref: https://www.ncsc.gov.uk/blog-post/problems-forcing-regular-password-
expiry
> Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily
(e.g., periodically).
Ref: https://pages.nist.gov/800-63-3/sp800-63b.html
--
Ticket URL: <https://core.trac.wordpress.org/ticket/46496#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list