-
Notifications
You must be signed in to change notification settings - Fork 12
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Look into directing a user to update their password #54
Comments
I guess you could check the strength of the password against the current rules when a user successfully logs in, then redirect them to change password instead of the default login destination |
Sounds good, if there is a change to the compliance criteria—we could show a notification for them to update their password. We can keep on showing the notification until they actually reset it, don't know if we need to go to the enforce route? |
As per @sminnee's comment
We currently do not force a reset (to my knowledge). The flow could be evaluated on submission of the password before hashing, setting a flag to update iff (if and only if) that should lead to a successful logging-in.
I worry that this may appear to a semi-savvy user that the password is not stored securely ("how would they know what my password is to say that?"), so I think there would be some communication with whatever method this is communicated through to the user.
@clarkepaul @newleeland may be interested in this flow.
The text was updated successfully, but these errors were encountered: