← Back to team overview

dhis2-devs team mailing list archive

Re: Expired password

 

Hi Andrew,

thanks for your input.


On Mon, Dec 2, 2013 at 11:35 AM, Muhire Andrew <muhireandrew@xxxxxxxxx>wrote:

> Hi all,
>
> Here is my inputs to DHIS2 may be for the future releases:
>
> -To avoid people from may be misusing, risks of User and Passwrd caching
> to their browsers memory, it can be more better if we make it optional on
> setting passwords. Like password to expire on date xx/xx/xxxx. This is
> important because some Users requests the usernames and passwords for only
> research purposes in a given period. eg like only 3 months here the system
> can be able to automatically block he/she from logging in. On Facility
> users, it can be  better to have a specific period and they all alerted to
> their emails and forced to change the password.(Note that this is optional).
>
>
This is a sensible request, and is in fact already planned for 2.14:

https://blueprints.launchpad.net/dhis2/+spec/password-change



> -Another part is if someone prompt and fails to log in several times eg: 6
> or more times the system automatically blocks that person and sends the
> message to the administrator for him to check if its not an intruder.
>
>
This I am less sure about - problem is that it will be very simple for an
attacker to jam the system by constantly posting login attempts to an
instance, hereby triggering the the auto-locking and disabling anyone to
log in. Must thing a bit more on this one.

cheers

Lars

References