User password expiration

Hey, do passwords expire in OpenMRS? If so, where in the database is this date stored? I don’t see anything in the users table.

We’d like to run a query to identify users with passwords set to expire so we can proactively notify them and reset the password.

Thanks, JJ

Am not aware of any such functionality. The closest to it that we have is forcing the user to change password on login. In which case a property with name “forcePassword” is stored with a value of “true” in the user_property table. Context.getAuthenticatedUser().getUserProperties()).isSupposedToChangePassword()

Thanks Daniel!

@jdick that being said, am reading an increasing number of posts against expiring passwords. The argument is that it does not improve security in any significant manner because users will change passwords in ways that are easy to predict. For instance, see these three password that i would change to when forced: kayiwa1, kayiwa2, kayiwa3, etc. :smile: So it servers more of an inconvenience to the end user than what you would actually achieve!

Like @dkayiwa, I’m not aware of any support for expiring passwords within the platform. This could be added relatively easily via a module (e.g., either using a user property or a mymoduleid_users2 table extending users with password_date_changed attribute + a little AOP magic + a scheduled task). I glanced at the amrscustomizations module and didn’t see anything suggesting that it added AMPATH-specific password expiration.

JJ, you mentioned to me that users are seeing messages like “Your password will expire in 2 weeks” at AMPATH. If you can get a screenshot of the message (including the address in the address bar and, if possible, page source), that could help us track down what’s generating that message (make you’ve redacted any personal info in the content including internal IDs before sharing publicly).

While, in general, I agree with there being better security options than ≤90-day password expirations (e.g., 2-factor authentication, enforcing use of strong passphrase far less frequent forced changes, etc.), some entities may be obligated to expire passwords based on institutional or ministry rulings to protect health data.