ASVS 2.1 Password Security Requirements- Change/Reset Password for user with emergency access #7350
Conversation
|
A couple of the administrators had a discussion about this in the past. Please review the following OpenEMR community forum thread about implementing this feature. https://community.open-emr.org/t/forget-password-in-login-screen/8899/13 I'm fine with a forgot password option but it needs to be configurable by a global setting as there are some installations (as discussed in the thread) that will turn this functionality off. Also, I would like to hear from you on the discussion in the forum thread of the need or lack of need for MFA to be turned on in order for reset password to be enabled. I think a compromise would be to have another global option to require MFA for all password resets (turned on by default) and to allow installations to turn this off. If you need help on how to add a global setting please let us know and we can provide guidance. |
Fixes #7349
Short description of what this resolves:
This enhances password Security Requirements for a user who tries to login and if he/she forget their credentials and they have an emergency to enter the application. In these cases there should be an easy and effective mechanism to get their access. As OpenEMR is an health related application. It should be focusing on user friendly authorization
Changes proposed in this pull request:
Change password functionality for existing users.
Update old password with new password in the myphpAdmin database.