Ability to configure user password expiration date
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Description
If we want to increase our security policy, there is only way to configure password length limit and add 2-factor authentication. But some users never change their password which is setting on first log in Gitlab. That kind of users are vulnerable to security.
Proposal
- Allow an admin to set a password expiration policy at the instance level.
- An admin should be able to specify that passwords expire every X days.
- A user using a password should receive an email notifying them that their password has expired.
- We can consider using the "reset password" flow to create a new password.
- Previously used passwords shouldn't be valid.
Links / references
Current NIST Guidelines
Also, I want to pass along the most recent password change guidelines from NIST (Sept 2021):
How Often Should You Change Your NIST Password? Contrary to popular belief and prior standards, NIST does not suggest changing passwords on a frequent basis; individuals who are asked to change passwords frequently are much more likely to keep an old password and merely append a number, letter, or special character to the end of it. Professional hackers know this trick and are savvy enough to predict minor changes. If you have a data breach or you know your password has been compromised, then it is time for a password change; otherwise, an annual password reset is enough.