Though user profile does not request old password in order to change user password, it is still bad security practice to be copied into such a great module as password_policy, which is all about security. I am in strong favor of making default setting to require old password for password change on the tab. Call it level 1.
The 2nd level is to require old password even if password_tab is not used.
These two levels make up a good place for a checkbox "Require old password" on policy form. There should be a bypass logic when user gets there from a single-time link, and changes password in a short time, so he/she should not remember that auto-generated password.
Comments
Comment #1
john.money CreditAttribution: john.money commented+1
I've attached password change screenshots from a couple popular services. They all implement this behavior.
Comment #2
tivie CreditAttribution: tivie commentedsubscribe
Comment #3
roball CreditAttribution: roball commented+1 and increasing the priority since this may be considered as security problem.
Comment #4
roball CreditAttribution: roball commentedAny reasons why this has not been considered for the final 1.0 release?
Comment #5
erikwebb CreditAttribution: erikwebb commentedThis is implemented by the Password change confirm module (a back port of D7 functionality).
Comment #6
roball CreditAttribution: roball commentedThe module you have mentioned does not support the "Password change tab" sub module of this module. And it does NOT require the current password to change it, it just asks for the new password twice instead of once.
Comment #7
erikwebb CreditAttribution: erikwebb commentedPassword Policy is a backend module used to enforce password restrictions and manage forced expirations. There is nothing inherently UI-driven about this module.
Are you suggesting that we re-implement the functionality of the Password change confirm module inside Password Policy. It seems to me that this should be a patch to _that_ module to support an additional form ID. Modifying this module to add that field would be a substantially new feature (essentially absorbing this other module) or create a specific dependency on that module. Either way it doesn't seem like a reasonable fit.
I'd be glad to discuss this more, but I don't see this fitting in. You say Password Policy is "all about security", but that's an overgeneralized explanation and makes it sound like Password Policy should fill all security requirements around passwords. That's simply not the case.
Comment #8
erikwebb CreditAttribution: erikwebb commentedComment #9
iva2k CreditAttribution: iva2k commented@erikwebb
You are talking about password policy module and rightfully reject the points made above from that viewpoint. However you missed the main starting point - the issue is about password_tab module which is packaged inside password policy. It is in fact a separate module with very different functionality than password policy itself. So you should step back and look at what password_tab module is about and what it's mission. Then I hope you will accept the points made, starting with the one that it is a UI module. It also replaces core password functionality, and makes it less secure by removing the requirement (that exists in core password) for entering old password in order to change user password. Maybe things would be better and clearer if password_tab module was a separate project, as there is no real dependency on password policy.
Comment #10
erikwebb CreditAttribution: erikwebb commentedI'm sorry, it totally skipped my mind that the normal password box requires the current password (I'm too accustomed to being an admin user). You're right.
Should be easy to patch - care to give it a shot?
Comment #11
iva2k CreditAttribution: iva2k commentedSorry, I don't have time for that.
Here are the references I collected on the subject:
Comment #12
erikwebb CreditAttribution: erikwebb commentedComment #13
roball CreditAttribution: roball commentedPatch #12 works for non-admin users. However, admins (users having the permission "administer users") will NOT have to give their current password.
IMO, every user should have this requirement - regardless of her permissions. When you are logged in as admin, leave your computer while still being logged in, someone else could change the admin's password without knowing the current one. No good security.
Comment #14
erikwebb CreditAttribution: erikwebb commentedAfter looking at the Password Change module, there are other edge cases that we would have to deal with here as well. By the time we implement all of those, this module would fully contain Password Change. Instead I've added direct integration between the 2 modules.
Comment #15
roball CreditAttribution: roball commentedPlease, can you make the Integrate with the Password change confirm module a separate issue? I cannot use that module due to that critical bug: #1215314: New users being asked to confirm password.
So it would still be useful to have the current password required by this (password_policy_password_tab) module, like the patch above, but not depending on permissions. You could check if the password_change module is enabled and only require the current password if it isn't enabled.
Comment #16
erikwebb CreditAttribution: erikwebb commentedThe major difference is my patch does not take into account one-time login links. This is a decent amount of code already provided by Password Change. It appears the patch to fix the Password Change Confirm module would be more trivial than making this module do the other checks provided by that module.
If we can fix their critical bug, can we leave this as an integration rather than duplication?
Comment #17
roball CreditAttribution: roball commentedAgreed :-) Just tested your latest patch (#14), together with the "Password change confirm" module 6.x-1.1 and it works fine!
Just one minor issue after applying the patch (compare both attached screenshots): the word "account" now appears above the first new password field of the Password tab.
Comment #18
erikwebb CreditAttribution: erikwebb commentedSorry about that, lazy programming.
Comment #20
roball CreditAttribution: roball commentedThanks, #18 works perfectly for me!
What about the one failed test by the bot?
Comment #21
erikwebb CreditAttribution: erikwebb commented#18: password_policy-password_change_integration-491158-18.patch queued for re-testing.
Comment #22
erikwebb CreditAttribution: erikwebb commentedIt was a poorly written test. I've updated the tests so that they pass.
Comment #23
erikwebb CreditAttribution: erikwebb commentedFixed and committed.
http://drupalcode.org/project/password_policy.git/commit/74991de
Comment #24
roball CreditAttribution: roball commentedGreat, thanks!