HTML Logo by World Wide Web Consortium ( Click to learn more about our commitment to accessibility and standards.

Moving forward with Composr

ocPortal has been relaunched as Composr CMS, which is now in beta. ocPortal 9 will be superseded by Composr 10.

Head over to for our new site, and to our migration roadmap. Existing ocPortal member accounts have been mirrored.

Force Password Change

Login / Search

 [ Join | More ]
 Add topic 
#72608 (In Topic #15233)

Community saint

Ability to Force password changes to users and/or groups

I once had one of my sites compromised because an admin of my site used the same password as his login to another similar community site that he used to login to admin on my site. The other site obviously could figure out his password so they used it to login to my site with his credentials allowing them to further find sensitive info to other sensitive areas etc etc and lets just say not good!

So I not only rewrote the entire login system to allow me to choose from whichever hashing algorythm available  (like whirlpool, ripemd, sha etc) instead of the default md5 (which these days are so easily rainbowed) but I also created a logging system to store old passwords (hashed and some plain disallowed ones set by me like password, pass1234 etc)  for a user when it was changed as well as a method to force change. I could choose by group or user or userlevel (ie all admins and/or moderators type thing) and the system would make a random temp pw for everyone store the old password and then email them new temp and logout all sessions and force them to make new password on next visit. With my ability to store old hashed pwd's (along with a hashing scheme used ie salt and algo etc) I would be able to compare each persons new password (even if I changed to a new hashing scheme) to the old store and if I found a match insist they pick something else. This way I could periodically force changes on users and be sure they were comming up with something new and unique reducing the likelyhood they would be using the same passwords on my site as they use elsewhere.

Anyway I was wonder ing if:
A) you had any kind of force password change mechanisim in the system and if so where can I find it?
B) if not is it something you might consider adding to a new release one day?
C) And/OR could you save me some time in pointing me in the right directions to which files I would want to be editing if I wished to write my own version of my above description for ocPortal? I am sure I could find all the places like I had to with my old system but with that one I was also much more familiar than this one but even with that one there were several places that needed editing for everything to work right not forgetting things like user password reset request pages and/or temp password holding tables etc.

Any advice would be greatly appreciated.
Back to the top

Nothing built in for this I'm afraid. Authentication goes through the forum driver layer, sources/forum/ocf.php. Password template is FORM_INPUT_PASSWORD.tpl. JS field validation goes through JAVASCRIPT_VALIDATION.tpl. Some validation is done in sources/ocf_members_action2.php ('ocf_check_name_valid').

Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
1 guests and 0 members have just viewed this: None
Control functions:

Quick reply   Contract

Your name:
Your message: