XF 2.2 Disallowing re-using of existing password when changing passwords.

[hoks]

I have the dragonbyte security add-on that has the option to require users to change their passwords after a certain time period.

Some users on my forums remarked that they were able to re-use their existing passwords again, when they "change" their passwords.
This basically means they can use the same password perpetually, which kind of defeats the purpose of forcing a password change.

Is this an intended feature of XF?
should I take up the issue to dragonbyte instead?

 

[Mendalla]

I have the dragonbyte security add-on that has the option to require users to change their passwords after a certain time period.

Some users on my forums remarked that they were able to re-use their existing passwords again, when they "change" their passwords.
This basically means they can use the same password perpetually, which kind of defeats the purpose of forcing a password change.

Is this an intended feature of XF?
should I take up the issue to dragonbyte instead?

That would be a Dragonbyte issue, I think, since the timed password changes are also a Dragonbyte feature. I would expect that such an add-on would have that as well given password expiry is kind of useless without it. Out of box, XF really just lets you set a password and maybe the length? I would have to check ACP. I have not touched the password settings in so long.

Frankly, the current IT wisdom is to dispense with expiry for ordinary users and focus on things like proper MFA (preferably app-driven rather than email or text) and/or passkeys for better security. That's per NISA.