[TYPO3-dev] Password expiry and blacklists
Christian Lerrahn (Cerebrum)
christian.lerrahn at cerebrum.com.au
Mon Feb 27 07:04:57 CET 2012
Hi Georg,
On Wed, 15 Feb 2012 08:02:27 +0100
Georg Ringer <typo3 at ringerge.org> wrote:
> Am 15.02.2012 03:01, schrieb Christian Lerrahn (Cerebrum):
> > As TYPO3 is referred to as an Enterprise CMS, I really think it
> > should have a password expiry (particularly for the backend) and
> > password blacklists. This is a very common feature in corporate
> > environments but completely absent in TYPO3.
>
> certainly true.
>
> > I've written an extension before for a client and hacked the core
> > for that but it was all very messy so I decided against publishing
> > it.
>
> maybe you wanna still share it and post the diffs somewhere?
I'm sorry I'm running a little bit late with publishing my extension
plus the diffs. You can now download them at
http://www.cerebrum.com.au/fileadmin/T3X_passwordexpiry-0_0_1-z-201202270249.t3x .
I've used them against older versions of T3 4.4 and 4.5.11. Again, the
cautionary remark I already made earlier, the diffs are quite messy and
focus on getting the job done, no more no less. You can find the diffs
in the extension's "res" folder
I'm planning to review the cleaned up service chain in 4.7 and see how I
could simplify my approach with the cleaner approach present there. I
reckon the whole thing with the flag for expired accounts could be
avoided if another status code for services was added which flags an
authentication as successful but then passes the user on to password
change. Services could then also expire passwords for different reasons
(e.g. password too weak, etc.). The bigger deal is probably really how
to handle the redirect as something like a "limited session" where the
user cannot break out but has successfully authenticated.
Cheers,
Christian
More information about the TYPO3-dev
mailing list