I'm looking for a Magento 1.X CE extension or solution that can enforce the expiry of an admin user's password every 60-days or so, requesting the admin to change it every 60-days.
My client is looking for a very secure platform solution, as there are a lot of admin users being assigned to the platform.
Thank you so much. James
Hi, this is something that Magento Enterprise does so if you have access to that codebase that might give you some inspiration. I haven't come across third party extensions that do that myself.
I'm pretty sure there's research out there now that suggests that forcing users to change their passwords regularly like that leads to weak passwords because it's common just to add a number on the end.
I'd suggest these alternatives for your consideration:
- Use an extension for 2FA (e.g. https://github.com/magento-hackathon/Magento-Two-factor-Authentication)
- IP whitelist admin access (this could be achieved through whitelisting to a VPN if mobile people need access).