Ability to configure user password expiration date
Description
If we want to increase our security policy, there is only way to configure password length limit and add 2-factor authentication. But some users never change their password which is setting on first log in Gitlab. That kind of users are vulnerable to security.
Proposal
- Allow an admin to set a password expiration policy at the instance level.
- An admin should be able to specify that passwords expire every X days.
- A user using a password should receive an email notifying them that their password has expired.
- We can consider using the "reset password" flow to create a new password.
- Previously used passwords shouldn't be valid.
Links / references
Current NIST Guidelines
Also, I want to pass along the most recent password change guidelines from NIST (Sept 2021):
How Often Should You Change Your NIST Password? Contrary to popular belief and prior standards, NIST does not suggest changing passwords on a frequent basis; individuals who are asked to change passwords frequently are much more likely to keep an old password and merely append a number, letter, or special character to the end of it. Professional hackers know this trick and are savvy enough to predict minor changes. If you have a data breach or you know your password has been compromised, then it is time for a password change; otherwise, an annual password reset is enough.