keepassxreboot/keepassxc

Password expiration presets should be in DAYS

Open

#4,896 opened on 2020年6月23日

GitHub で見る
 (8 comments) (8 reactions) (1 assignee)C++ (27,139 stars) (1,797 forks)batch import
help wanted

説明

Overview

The time interval presets available on the dropdown menu (to the right of the Expires datetime field) are currently as follows: {1, 2, 3} weeks, {1, 3, 6} months, or {1, 2, 3} years. Furthermore, they don't seem to be configurable.

This is not really useful, because mandatory password change times are usually given in numbers of days, and while a week always has seven days, a month can have from 28-31 and a year 365-366. Thus, these units are too imprecise.

Here's a quick survey of password expiry requirements:

Microsoft

For decades, the baseline password practices Microsoft provided to customers suggested forcing employees to change their passwords every 60 days.

The password reset timer in Windows Server products is still 42 days.

(source)

Okta

Single sign on (SSO) provider Okta uses 120 days as the default (source)

You can configure this setting for 1–999 days. (source)

(Okta also has a minimum required duration, before which the password cannot be changed. This is given in hours or days. This is to prevent a user from changing their password back to an old one.)

RedHat

RedHat's LDAP admin documentation says they do something similar to Okta, providing parameters

--maxlife [...] The default value is 90 days. --minlife [...] The default value is one hour.

Feature Requests

  • Please let us specify the expiration in number of days from now.
  • Please let us modify the presets, ideally on a site by site basis, since everybody has a different default. (I find myself writing this info in the notes field, along with the password requirements.)
  • Perhaps the date picker could have a field or mouseover that tells us how many days we are in the future?
  • Please let us have a notification when one is about to expire (this, of course, requires a threshold value, a "time to expiration"). Notification is not needed for every entry, but probably only one or two critical ones. (Inevitably, the same organizations requiring periodic changes are going to make it tedious to recover from missing one!) Currently, I put an alarm in my calendar for this.

Other Implementations

コントリビューターガイド

技術スタック
cpp
領域
desktopsecurity
Issue 種別
feature
難度新しい貢献者にとっての実装難度です。1 は非常に小さな変更、5 は専門的な作業です。
3
推定時間経験ある貢献者が調査、実装、テスト、pull request 準備にかけるおおよその時間範囲です。
3-5 days
活動状況Issue が今どれだけ取り組みやすいかを示します。新しい、活発、古い、ブロック中、またはメンテナー入力待ちなどです。
blocked
明確さ期待される変更、受け入れ条件、次の手順がどれだけ明確かを示します。
clear
前提条件
C++QtKeePassXC internals
初心者向け度初回貢献者にどれだけ取り組みやすいかを 1-100 で推定したスコアです。
40
調査方針
The issue requests changing password expiration presets from weeks/months/years to days and making them configurable. The relevant code is likely in the UI for password entry and expiration settings. Start by examining the password dialog and expiration dropdown menus. Review the existing comments for any suggestions from maintainers, particularly from the assignee. Investigate how the presets are currently stored and applied, and propose changes to support configurable day based presets.