Mass password reset functionality?

We recently had a security issue not directly related to OJS and one of the options discussed (but not ultimately required) was expiring all OJS users’ passwords.

There doesn’t appear to be an easy way to do this, but it seems like a useful security feature. Either built-in or via a plugin. The functionality could work on a journal-by-journal basis (which is what our use-case potentially called for) or sitewide.

Not hugely keen to discuss details of security issue publicly, if anyone needs to know details, they can contact me directly. The issue was not OJS specific, could have happened to any system with local usernames and passwords.

Hello @stuart.yeates,

We are trying to make all first “Feature Request” posts follow the same structure. We hope this will make it easier to understand the requests and, at the same time, ensure that no relevant information is missing.

Could you please edit your post following this template?

Describe the problem you would like to solve
Example: Our editors need a way to […]

Describe the solution you’d like
Tell us how you would like this problem to be solved.

Who is asking for this feature?
Tell us what kind of users are requesting this feature. Example: Journal Editors, Journal Administrators, Technical Support, Authors, Reviewers, etc.

Additional information
Add any other information or screenshots about the feature request here.

You can use this post as a reference.

Best regards,

PKP Team

Hi @stuart.yeates,

If you go into the users table in the database, and set the must_change_password column to 1 for any subset of users, then those users will be forced to pick a new password at the next login. I don’t think it’s likely that we’ll write e.g. a CLI tool to do this, as it’s a niche use case and easily enough done using e.g. phpMyAdmin, but hopefully that’ll get you where you need to go.

Standard disclaimer: make sure to take a backup before working with the database directly!

Alec Smecher
Public Knowledge Project Team