Expired password

Support - Assistance technique
1

Hi all,

Here is my inputs to DHIS2 may be for the future releases:

-To avoid people from may be misusing, risks of User and Passwrd caching to their browsers memory, it can be more better if we make it optional on setting passwords. Like password to expire on date xx/xx/xxxx. This is important because some Users requests the usernames and passwords for only research purposes in a given period. eg like only 3 months here the system can be able to automatically block he/she from logging in. On Facility users, it can be better to have a specific period and they all alerted to their emails and forced to change the password.(Note that this is optional).

-Another part is if someone prompt and fails to log in several times eg: 6 or more times the system automatically blocks that person and sends the message to the administrator for him to check if its not an intruder.

I am very sure this can be suitable for the stable systems.

Regards!

···
  • Muhire Andrew*

Ministry of Health / HMIS

““A mind is a terrible thing to waste””

** Cell:(+25)0788436150**

*** Twitter :andrewmuhire***

**** skype:muhire_andrew****

muhireandrew@yahoo.com

2

Hi Andrew,

thanks for your input.

···

On Mon, Dec 2, 2013 at 11:35 AM, Muhire Andrew muhireandrew@yahoo.com wrote:

Hi all,

Here is my inputs to DHIS2 may be for the future releases:

-To avoid people from may be misusing, risks of User and Passwrd caching to their browsers memory, it can be more better if we make it optional on setting passwords. Like password to expire on date xx/xx/xxxx. This is important because some Users requests the usernames and passwords for only research purposes in a given period. eg like only 3 months here the system can be able to automatically block he/she from logging in. On Facility users, it can be better to have a specific period and they all alerted to their emails and forced to change the password.(Note that this is optional).

This is a sensible request, and is in fact already planned for 2.14:

https://blueprints.launchpad.net/dhis2/+spec/password-change

-Another part is if someone prompt and fails to log in several times eg: 6 or more times the system automatically blocks that person and sends the message to the administrator for him to check if its not an intruder.

This I am less sure about - problem is that it will be very simple for an attacker to jam the system by constantly posting login attempts to an instance, hereby triggering the the auto-locking and disabling anyone to log in. Must thing a bit more on this one.

cheers

Lars