dhis2-devs team mailing list archive

Thread
Date

Re: Expired password

To: Muhire Andrew <muhireandrew@xxxxxxxxx>
From: Lars Helge Øverland <larshelge@xxxxxxxxx>
Date: Mon, 2 Dec 2013 11:47:59 +0100
Cc: "dhis2-users@xxxxxxxxxxxxxxxxxxx" <dhis2-users@xxxxxxxxxxxxxxxxxxx>, DHIS 2 developers <dhis2-devs@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <1385980507.16601.YahooMailNeo@web164806.mail.gq1.yahoo.com>

Hi Andrew,

thanks for your input.


On Mon, Dec 2, 2013 at 11:35 AM, Muhire Andrew <muhireandrew@xxxxxxxxx>wrote:

> Hi all,
>
> Here is my inputs to DHIS2 may be for the future releases:
>
> -To avoid people from may be misusing, risks of User and Passwrd caching
> to their browsers memory, it can be more better if we make it optional on
> setting passwords. Like password to expire on date xx/xx/xxxx. This is
> important because some Users requests the usernames and passwords for only
> research purposes in a given period. eg like only 3 months here the system
> can be able to automatically block he/she from logging in. On Facility
> users, it can be  better to have a specific period and they all alerted to
> their emails and forced to change the password.(Note that this is optional).
>
>
This is a sensible request, and is in fact already planned for 2.14:

https://blueprints.launchpad.net/dhis2/+spec/password-change



> -Another part is if someone prompt and fails to log in several times eg: 6
> or more times the system automatically blocks that person and sends the
> message to the administrator for him to check if its not an intruder.
>
>
This I am less sure about - problem is that it will be very simple for an
attacker to jam the system by constantly posting login attempts to an
instance, hereby triggering the the auto-locking and disabling anyone to
log in. Must thing a bit more on this one.

cheers

Lars

References

Expired password
From: Muhire Andrew, 2013-12-02