[TYPO3-dev] Password expiry and blacklists

[Christian Lerrahn]

On Wed, 15 Feb 2012 07:28:58 +0100
Peter Russ <peter.russ at 4many.net> wrote:

[...]
 
> In an enterprise you use LDAP. There the company's password policy is 
> defined. I see now need to add this into TYPO3. May be the extension
> to connect to the LDAP could be improved to handle the few error
> codes getting from LDAP correctly.

Actually, I'm not sure that LDAP will always be the authentication
system of choice. But even if an organisation employs LDAP, I consider
the scenario where the website is integrated into the LDAP
authentication scheme rather rare. This is certainly only the case for
large organisations but will most likely never apply to anything small
or medium size. Nevertheless, these organisations are often large
enough already to have strict security policies which might stipulate
password expiry.

> Further in companies it is a security risk to store passwords in
> TYPO3.

This is not necessarily true. In fact, in the case which led me to
develop something earlier, the client's policy did not allow for
sensitive data in the web database but had separate authentication
which required password expiry as a requirement for all IT systems in
the organisation. If I was in charge, I'd probably also rather keep a
web server entirely separate from the corporate network and only
ban the use of the same username and password combinations as in the
corporate network.

To cut a long story short, despite your explanation, I still disagree
with there being no need for such a functionality.

Cheers,
Christian