What to do if there is a risk of a password compromise?
If a data controller detects a data breach related to an individual's password:
- the data controller must notify the CNIL within a period not exceeding 72 hours;
- it must require the user concerned to change his or her password the next time he or she logs in;
- it must recommend that the user change his passwords for other services, if he has used the same password for them.
It would be great to be able to force the user to change passwords through the admin interface.
It would also be great to be able to configure the entropy level (certain number of numbers, letters, special characters) also through the admin interface.