Can we force new users to change their password upon initial login?

Get help with installation and running phpBB 3.3.x here. Please do not post bug reports, feature requests, or extension related questions here.
oztkktzo4
Registered User
Posts: 13
Joined: Tue Feb 06, 2024 6:04 am

Can we force new users to change their password upon initial login?

Post by oztkktzo4 »

Support Request Template
What version of phpBB are you using? phpBB 3.3.11
What is your board's URL? https://localhost/phpBB3
Who do you host your board with? Self in a VM or InterServer
How did you install your board? I used the download package from phpBB.com
What is the most recent action performed on your board? Fresh Install
Is registration required to reproduce this issue? Yes
Do you have any MODs installed? No
Do you have any extensions installed? Yes
What extensions do you have installed? ACP Add User
What styles do you currently have installed? Default
What language(s) is your board currently using? en
Which database type/version are you using? MariaDB
What is your level of experience? New to PHP and phpBB
What username can be used to view this issue? any
What password can be used to view this issue? any
What actions did you take (updating your board; installing a MOD, style or extension; etc.) prior to this problem becoming noticeable? Happens on two boards:
The shared hosting that we've been prepping for production for a few weeks.
The board that we've installed as a test bed on a VM.

Only action was installing the ACP Add User extension and a lot of trial and error to work on this issue.
Please describe your problem. Is there a way to configure our board so that we create users with ACP > Add User, set the initial password and the board emails the user with this info. Then when they login for the first time, are required to re-set their own password?

Broken down the steps are:
  • create new user and activate the user via ACP Add User - this works
  • the user get an email created by the board with the link and password - this works
  • the user logs in - this works
  • should be prompted/forced to change the password - this "fails"(because we don't know if it's supported task flow) - they just login and continue.

We've been using these ACP > General > User registration settings >
Account activation: No Action or By user or By admin (preferably by admin)
Set Newly Registered Users group to default: Yes or No
Force password change: 1 Days <===== seems like a key setting

On the ACP Users Add User > Registration page:
Fill out: Username, Email address, Passwords, etc.
Groups: No group specified
Enable new user: Yes
Activate user account: checked.

Side Note:
As stated above, users don't get prompted to change their password. But admin already logged get forced *sometimes* to change admin password via UCP > Profile > Edit account settings.
Doesn't happen every time and not sure of the exact sequence of events so can't reproduce it. It has happened on two newish boards. One being prepared for users and production. And another solely as a test system.
Generated by SRT Generator

Thanks for any advice.
Last edited by oztkktzo4 on Fri Feb 23, 2024 4:42 am, edited 1 time in total.
oztkktzo4
Registered User
Posts: 13
Joined: Tue Feb 06, 2024 6:04 am

Re: Can we force new users to change their password upon initial login?

Post by oztkktzo4 »

gctaylor wrote: Wed Feb 21, 2024 1:33 am Side Note:
As stated above, users don't get prompted to change their password. But the admin already logged get forced *sometimes* to change admin password via UCP > Profile > Edit account settings.
Doesn't happen every time and not sure of the exact sequence of events so can't reproduce it. It has happened on two newish boards. One being prepared for users and production. And another solely as a test system.
This behavior is predictable now. There are two places you can set Force password change: and the last one to be set changes the value for both places. Since we were setting it to 1(day) the password change requirement for the logged in admin were coming at a seemingly random time.

ACP > BOARD CONFIGURATION > User registration settings > Force password change:

and

ACP > SERVER CONFIGURATION > Security settings > Force password change:

Doesn't seem like there is a Jira issue for this and maybe there should be. Would like someone with more experience to weigh in on this before we create an incorrect issue and waste devs time.

As for the original question, we haven't figured out a workaround except to ask the users to change the password themselves(which is already in the email). Unless maybe when the user is created, a ridiculously complex password is used that will encourage changing it.

Also tried the option of going to the login page and selected the 'I forgot my password', pretending to be the newly created user and it sent an email with the reset your password link. The test user could ignore the email and still login with the original password. So that didn't do any good.

Still trying to figure this out.
Last edited by oztkktzo4 on Fri Feb 23, 2024 4:39 am, edited 1 time in total.
User avatar
warmweer
Jr. Extension Validator
Posts: 11623
Joined: Fri Jul 04, 2003 6:34 am
Location: Van Allen Bel ... gium

Re: Can I force new users to change their password upon initial login?

Post by warmweer »

gctaylor wrote: Thu Feb 22, 2024 3:49 am
Still trying to figure this out.
a quick and dirty method is to edit the password in the database, forcing the user to use "lost password"
or just edit the password in manage users (same effect)
Spelling is freeware, which means you can use it for free.
On the other hand, it is not open source, which means you cannot change it or publish it in a modified form.


Time flies like an arrow, but fruit flies like a banana.
User avatar
KevC
Support Team Member
Support Team Member
Posts: 72534
Joined: Fri Jun 04, 2004 10:44 am
Location: Oxford, UK

Re: Can I force new users to change their password upon initial login?

Post by KevC »

Alternative suggestion.....

Use the Q&A antispam like a secure invitation code to the people you know for sure you want to register.

So, rather than making the accounts yourself, email them all and say, on the registration page, enter this code.

Then in the Q&A you have 'Enter the code from your invitation email' and make the answer a random number/letter string (not a dictionary word).

That way, they can create their own account with their own username and password and only people who know that code can sign up.
-:|:- Support Request Template -:|:-
Image
"Step up to red alert. Sir, are you absolutely sure? It does mean changing the bulb"
oztkktzo4
Registered User
Posts: 13
Joined: Tue Feb 06, 2024 6:04 am

Re: Can we force new users to change their password upon initial login?

Post by oztkktzo4 »

warmweer wrote: Thu Feb 22, 2024 8:26 am a quick and dirty method is to edit the password in the database, forcing the user to use "lost password"
or just edit the password in manage users (same effect)
Thanks for the idea. On the surface we think this might be the way to go. The problem is that our users will be confused because they'll have just gotten an email from the board with a password and it won't work. It wouldn't be instinctive to right away go for the lost password route.

Curious how hard it would be for a PHP neophyte to modify the outgoing email(the one they get after completing the ACP Add user steps) template so that it removes the password and includes the reset your password link? Been thinking about trying to put the phpbb code in an IDE to be able to walk through it but it's several steps above our ability at the moment. Or maybe some print statements but also above our ability right now.

KevC wrote: Thu Feb 22, 2024 9:22 am Alternative suggestion.....
Use the Q&A antispam like a secure invitation code to the people you know for sure you want to register.
So, rather than making the accounts yourself, email them all and say, on the registration page, enter this code.
That way, they can create their own account with their own username and password and only people who know that code can sign up.
Thanks for this idea. It's solid... except that we need to create the accounts so we can have sane usernames in an effort to know who is posting in the forums.
User avatar
KevC
Support Team Member
Support Team Member
Posts: 72534
Joined: Fri Jun 04, 2004 10:44 am
Location: Oxford, UK

Re: Can we force new users to change their password upon initial login?

Post by KevC »

gctaylor wrote: Thu Feb 22, 2024 11:24 pm Thanks for this idea. It's solid... except that we need to create the accounts so we can have sane usernames in an effort to know who is posting in the forums.
But you could state that in the email that goes out to them.
Or tailor each email (depends how many accounts of course) so that it says please use <this> username when registering.
-:|:- Support Request Template -:|:-
Image
"Step up to red alert. Sir, are you absolutely sure? It does mean changing the bulb"
oztkktzo4
Registered User
Posts: 13
Joined: Tue Feb 06, 2024 6:04 am

Re: Can we force new users to change their password upon initial login?

Post by oztkktzo4 »

KevC wrote: Fri Feb 23, 2024 8:57 am But you could state that in the email that goes out to them.
Or tailor each email (depends how many accounts of course) so that it says please use <this> username when registering.
This looks like the best option. Thanks for your Support and patience.

Return to “[3.3.x] Support Forum”