Suggestion: Add a property on UserAccount to force password change at next login

[hades200082]

It would be very useful for an admin to be able to force a user to change their password at next login.

Example use case:
Admin changes users password for them (I know they can request reset themselves... they didn't.. they are dumb)

At this point the user should really be forced to change their password to something that even the admin doesn't know when they next log in.

The reason: Most admins will use the same default password for all such password resets.

Also, giving the admin a button they can press to force a user to change their password would be nice too.

[talves]

+1
I came to the partial conclusion that there is a process for this using your application. Maybe some discussion is in order to decide if this should be within MembershipReboot. My alternatives are how I plan to handle it.

Alternative for forgotten password: The admin requests a password change on the behalf of the user using the users email address. This will request a validation email to the user and the user clicks on the link to change their password. The admin has no need to enter a new password or know what it is.

Alternative for forcing a password: The code behind in the application could change the password with a unique guid or other random string that no one would know. Then email the user with a change password validation. This would force the user to reset the password and not allow the user to login until they validated.

Alternative for requiring a password change: The application could add a claim to the user account that would set a reset password flag to require a password change and redirect to the change password page until the password was changed.

I am sure Brock will have some feedback on this one.

[brockallen]

This is an interesting requirement. My only problem is that at the library level there's no way to force the user to do anything -- that's up to the UI or whatever application is using the library. I could add a "MustChangePassword" property on the UserAccount -- would this suffice?

[talves]

Your solution would allow the tracking of the flag easier, but it would be just as easy to create a claim by creating a role called "MustChangePassword" also, so it is up to you whether it is beneficial or not? I would end up doing the same logic whether you make the change or not. Up to you. I do agree with you after working on this, that it should be up to each individual application unless you decided to tie it to logging in successfully.

[brockallen]

Normally for other info I might suggest a custom claim, but since there's already the concept of "must change password" (or I guess I should say "should") then I don't mind making a dedicated flag in the UserAccount model.

[talves]

Fantastic! I am really liking what you have done here. This has made me realize how tied to Membership I was.
Thank You for making this available and the time spent.

[hades200082]

Yes. And you already have the password expiry .. could work in a similar way to that.

[brockallen]

Ok, done.