Though user profile does not request old password in order to change user password, it is still bad security practice to be copied into such a great module as password_policy, which is all about security. I am in strong favor of making default setting to require old password for password change on the tab. Call it level 1.

The 2nd level is to require old password even if password_tab is not used.

These two levels make up a good place for a checkbox "Require old password" on policy form. There should be a bypass logic when user gets there from a single-time link, and changes password in a short time, so he/she should not remember that auto-generated password.

Files: 
CommentFileSizeAuthor
#18 password_policy-password_change_integration-491158-18.patch2.07 KBerikwebb
PASSED: [[SimpleTest]]: [MySQL] 334 pass(es).
[ View ]
#17 01-Integrate with Password Change module-Before patch.png18.28 KBroball
#17 02-Integrate with Password Change module-After patch.png21.04 KBroball
#14 password_policy-password_change_integration-491158-13.patch2.04 KBerikwebb
FAILED: [[SimpleTest]]: [MySQL] 241 pass(es), 1 fail(s), and 0 exception(s).
[ View ]
#12 password_policy-password_tab_require_current-491158-12.patch2 KBerikwebb
FAILED: [[SimpleTest]]: [MySQL] 241 pass(es), 1 fail(s), and 0 exception(s).
[ View ]
#1 google_pw.png27.68 KBjohn.money
#1 fb_pw.png38 KBjohn.money
#1 flickr_pw.png41.15 KBjohn.money

Comments

john.money’s picture

StatusFileSize
new41.15 KB
new38 KB
new27.68 KB

+1

I've attached password change screenshots from a couple popular services. They all implement this behavior.

tivie’s picture

subscribe

roball’s picture

Version:6.x-1.x-dev» 6.x-1.0-beta1
Priority:Normal» Major

+1 and increasing the priority since this may be considered as security problem.

roball’s picture

Version:6.x-1.0-beta1» 6.x-1.0

Any reasons why this has not been considered for the final 1.0 release?

erikwebb’s picture

Priority:Major» Normal
Status:Active» Closed (won't fix)

This is implemented by the Password change confirm module (a back port of D7 functionality).

roball’s picture

Status:Closed (won't fix)» Active

The module you have mentioned does not support the "Password change tab" sub module of this module. And it does NOT require the current password to change it, it just asks for the new password twice instead of once.

erikwebb’s picture

Version:6.x-1.0» 6.x-1.x-dev

Password Policy is a backend module used to enforce password restrictions and manage forced expirations. There is nothing inherently UI-driven about this module.

Are you suggesting that we re-implement the functionality of the Password change confirm module inside Password Policy. It seems to me that this should be a patch to _that_ module to support an additional form ID. Modifying this module to add that field would be a substantially new feature (essentially absorbing this other module) or create a specific dependency on that module. Either way it doesn't seem like a reasonable fit.

I'd be glad to discuss this more, but I don't see this fitting in. You say Password Policy is "all about security", but that's an overgeneralized explanation and makes it sound like Password Policy should fill all security requirements around passwords. That's simply not the case.

erikwebb’s picture

Status:Active» Closed (works as designed)
iva2k’s picture

Status:Closed (works as designed)» Active

@erikwebb
You are talking about password policy module and rightfully reject the points made above from that viewpoint. However you missed the main starting point - the issue is about password_tab module which is packaged inside password policy. It is in fact a separate module with very different functionality than password policy itself. So you should step back and look at what password_tab module is about and what it's mission. Then I hope you will accept the points made, starting with the one that it is a UI module. It also replaces core password functionality, and makes it less secure by removing the requirement (that exists in core password) for entering old password in order to change user password. Maybe things would be better and clearer if password_tab module was a separate project, as there is no real dependency on password policy.

erikwebb’s picture

I'm sorry, it totally skipped my mind that the normal password box requires the current password (I'm too accustomed to being an admin user). You're right.

Should be easy to patch - care to give it a shot?

iva2k’s picture

Sorry, I don't have time for that.
Here are the references I collected on the subject:

erikwebb’s picture

Status:Active» Needs review
StatusFileSize
new2 KB
FAILED: [[SimpleTest]]: [MySQL] 241 pass(es), 1 fail(s), and 0 exception(s).
[ View ]
roball’s picture

Status:Needs review» Needs work

Patch #12 works for non-admin users. However, admins (users having the permission "administer users") will NOT have to give their current password.

IMO, every user should have this requirement - regardless of her permissions. When you are logged in as admin, leave your computer while still being logged in, someone else could change the admin's password without knowing the current one. No good security.

erikwebb’s picture

Title:password_tab should require old password» Integrate with Password Change module
Status:Needs work» Needs review
StatusFileSize
new2.04 KB
FAILED: [[SimpleTest]]: [MySQL] 241 pass(es), 1 fail(s), and 0 exception(s).
[ View ]

After looking at the Password Change module, there are other edge cases that we would have to deal with here as well. By the time we implement all of those, this module would fully contain Password Change. Instead I've added direct integration between the 2 modules.

roball’s picture

Title:Integrate with Password Change module» password_tab should require old password
Status:Needs review» Active

Please, can you make the Integrate with the Password change confirm module a separate issue? I cannot use that module due to that critical bug: #1215314: New users being asked to confirm password.

So it would still be useful to have the current password required by this (password_policy_password_tab) module, like the patch above, but not depending on permissions. You could check if the password_change module is enabled and only require the current password if it isn't enabled.

erikwebb’s picture

The major difference is my patch does not take into account one-time login links. This is a decent amount of code already provided by Password Change. It appears the patch to fix the Password Change Confirm module would be more trivial than making this module do the other checks provided by that module.

If we can fix their critical bug, can we leave this as an integration rather than duplication?

roball’s picture

Title:password_tab should require old password» Integrate with Password Change module
StatusFileSize
new21.04 KB
new18.28 KB

Agreed :-) Just tested your latest patch (#14), together with the "Password change confirm" module 6.x-1.1 and it works fine!

Just one minor issue after applying the patch (compare both attached screenshots): the word "account" now appears above the first new password field of the Password tab.

erikwebb’s picture

Status:Active» Needs review
StatusFileSize
new2.07 KB
PASSED: [[SimpleTest]]: [MySQL] 334 pass(es).
[ View ]

Sorry about that, lazy programming.

Status:Needs review» Needs work

The last submitted patch, password_policy-password_change_integration-491158-18.patch, failed testing.

roball’s picture

Status:Needs work» Reviewed & tested by the community

Thanks, #18 works perfectly for me!

What about the one failed test by the bot?

erikwebb’s picture

erikwebb’s picture

It was a poorly written test. I've updated the tests so that they pass.

erikwebb’s picture

Status:Reviewed & tested by the community» Fixed
roball’s picture

Great, thanks!

Status:Fixed» Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.