support configurable password reset policies




11 years ago
4 years ago


(Reporter: timeless, Unassigned)





11 years ago
i'd like Bugzilla to support a couple of password reset policies with each user being able to select a policy*:

1. current (user can reset by token)
2. disabled (user can refuse to allow password resets via web service) - ideally all attempts to trigger a reset should result in a pager request to an admin

3. it should be possible to specify a default reset policy based on group membership. if multiple groups specify a policy, the strongest one should win by default.
4. groups should be able to specify preferred and disallowed, so a group may specify that a certain policy must not be used for anyone in a group.


11 years ago
Priority: -- → P5

Comment 1

11 years ago
Per my discussion with timeless on IRC, what he wants is the ability to prevent the "forgot my password" email from being sent unencrypted through the web. In this case, a better fix is to use the GPG key to encrypt the email before sending it.

I don't think we will implement such policies.
I think encrypted reset emails is the right way to go here.

You need to log in before you can comment on or make changes to this bug.