i'd like Bugzilla to support a couple of password reset policies with each user being able to select a policy*: 1. current (user can reset by token) 2. disabled (user can refuse to allow password resets via web service) - ideally all attempts to trigger a reset should result in a pager request to an admin 3. it should be possible to specify a default reset policy based on group membership. if multiple groups specify a policy, the strongest one should win by default. 4. groups should be able to specify preferred and disallowed, so a group may specify that a certain policy must not be used for anyone in a group.
Per my discussion with timeless on IRC, what he wants is the ability to prevent the "forgot my password" email from being sent unencrypted through the web. In this case, a better fix is to use the GPG key to encrypt the email before sending it. I don't think we will implement such policies.
I think encrypted reset emails is the right way to go here. Gerv
You need to log in before you can comment on or make changes to this bug.