PHPackages derhansen/fe\_change\_pwd - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. derhansen/fe\_change\_pwd ActiveTypo3-cms-extension[Authentication & Authorization](/categories/authentication) derhansen/fe\_change\_pwd ========================= Plugin to enable password change for frontend users. Contains configurable password rules and password change enforcement. 6.0.0(4mo ago)893.1k↓14.1%8[2 issues](https://github.com/derhansen/fe_change_pwd/issues)[1 PRs](https://github.com/derhansen/fe_change_pwd/pulls)GPL-2.0-or-laterPHPPHP >=8.2CI passing Since Sep 29Pushed 4mo ago1 watchersCompare [ Source](https://github.com/derhansen/fe_change_pwd)[ Packagist](https://packagist.org/packages/derhansen/fe_change_pwd)[ Docs](https://github.com/derhansen/fe_change_pwd)[ Fund](https://www.paypal.me/derhansen)[ RSS](/packages/derhansen-fe-change-pwd/feed)WikiDiscussions main Synced 1mo ago READMEChangelog (10)Dependencies (1)Versions (54)Used By (0)Security (1) [![Tests](https://github.com/derhansen/fe_change_pwd/actions/workflows/Tests.yml/badge.svg?branch=main)](https://github.com/derhansen/fe_change_pwd/actions/workflows/Tests.yml)[![Code Quality Checks](https://github.com/derhansen/fe_change_pwd/actions/workflows/CodeQuality.yml/badge.svg?branch=main)](https://github.com/derhansen/fe_change_pwd/actions/workflows/CodeQuality.yml)[![Monthly Downloads](https://camo.githubusercontent.com/7ad7869ce5f9fd53420c31de345baaee4059b7e47fc5ee1e841f9a528aa0488b/68747470733a2f2f706f7365722e707567782e6f72672f64657268616e73656e2f66655f6368616e67655f7077642f642f6d6f6e74686c79)](https://packagist.org/packages/derhansen/fe_change_pwd)[![Project Status: Active – The project has reached a stable, usable state and is being actively developed.](https://camo.githubusercontent.com/39c688bf243eeb6d3bfc529dcf3cb27443613deb696c8fa9f49bccf1e63e3bef/68747470733a2f2f7777772e7265706f7374617475732e6f72672f6261646765732f6c61746573742f6163746976652e737667)](https://www.repostatus.org/#active) Change password for frontend users ================================== [](#change-password-for-frontend-users) What does it do? ---------------- [](#what-does-it-do) This TYPO3 extension contains a plugin to allow logged-in frontend users to change their password. The new user password is validated against the TYPO3 password policy for frontend users. Password changes for frontend users can be enforced, and passwords can expire after a certain amount of days. **Features:** - Change password plugin - Validates the password against the TYPO3 password policies for frontend users - Force password change for frontend users - Redirect to a configured page when password change is required - Password expiration after a configurable number of days - Optional requires the current password to change the password - Optional requires a change password code, which is sent to the users email address, to change the password Screenshot ---------- [](#screenshot) The screenshot below shows the output of the "Change Frontend User Password" plugin after the user tried to submit a weak password. [![Screenshot of the plugin output](Documentation/Images/plugin-output.png "Output of the plugin after password validation")](Documentation/Images/plugin-output.png) Installation ------------ [](#installation) 1. Install the extension from the TYPO3 Extension Repository or using composer and add the Static Typoscript "Change password for frontend users" to your TypoScript template. 2. Add the site set "Change password for frontend users" to your site 3. Create a new page and make sure that the page is only visible to logged in frontend users. 4. Add the Plugin "Change Frontend User Password" to the page created in step 2 5. Change Site settings to your needs. Please note, that if you want to use the password change enforcement, you **must** set `fe_change_pwd.changePasswordPid` to the page uid of the page created in step 2 6. Change TypoScript settings to your needs. 7. Optionally, change the path to the extension templates in TypoScript and modify the templates to your needs. New fe\_user fields ------------------- [](#new-fe_user-fields) The extension adds two new fields to the fe\_users table (see screenshot) [![Screenshot of a fe_users](Documentation/Images/fe-user-password-settings.png "New fields in fe_users table")](Documentation/Images/fe-user-password-settings.png) If the checkbox "User must change password at next login" is set and a valid `changePasswordPid` is configured, the user will be redirected to the configured page after login when accessing pages as configured in the `plugin.tx_fechangepwd.settings.redirect` section. The password expiry date defines the date, after a user must change the password. **Tip:** If you quickly want all frontend users to change their passwords, you can use a simple SQL statement to set the field in the database like shown in this example `UPDATE fe_users set must_change_password=1;` Site configuration settings --------------------------- [](#site-configuration-settings) - `fe_change_pwd.changePasswordPid` *(integer)* The pid to redirect to if a password change is required. This is usually the page with the Plugin of the extension - `fe_change_pwd.redirect.allAccessProtectedPages` *(bool)* If set to `1`, a redirect to the configured `fe_change_pwd.changePasswordPid` will be forced for all access protected pages. Note, that if this option is set, the `includePageUids` is ignored! - `fe_change_pwd.redirect.includePageUids` *(string)* A redirect to the configured changePasswordPid will be forced for the configured PIDs separated by a comma - `fe_change_pwd.redirect.includePageUidsRecursionLevel` *(integer)* The recursion level for all pages configured in `fe_change_pwd.redirect.includePageUids`. Use this option, if you e.g. want to force a redirect for a page and all subpages - `fe_change_pwd.redirect.excludePageUids` (string) No redirect will be forced for the configured PIDs separated by a comma - `fe_change_pwd.redirect.excludePageUidsRecursionLevel` *(integer)* The recursion level for all pages configured in `fe_change_pwd.redirect.excludePageUids`. Use this option, if you e.g. want to exclude a page and all subpages for the redirect TypoScript configuration settings --------------------------------- [](#typoscript-configuration-settings) The following TypoScript settings are available. **plugin.tx\_fechangepwd.settings.requireCurrentPassword** - `enabled` *(bool)* If set to `1`, the user must enter the current password in order to set a new password. Default setting is `1`. **plugin.tx\_fechangepwd.settings.requireChangePasswordCode** - `enabled` *(bool)* If set to `1`, the user must enter a change password code, which will be sent to the users email address, to set a new password. Default setting is `0`. - `validityInMinutes` *(integer)* The time in minutes the change password code is valid, when it has been requested by the user. - `senderEmail` *(string)* Sender email address for email send to user - `senderName` *(string)* Sender name for email sent to user **plugin.tx\_fechangepwd.settings.passwordExpiration** - `enabled` *(bool)* Is set to `1`, new passwords will expire after the configured amount of days - `validityInDays` *(integer)* The amount of days, a new password is valid before it needs to be changed **plugin.tx\_fechangepwd.settings.afterPasswordChangeAction** - `redirect` *(string)* Redirects the user to the "update" action and adds a flash message, that the password has been updated. - `view` *(string)* Shows the view for the update action with a message, that the password has been updated Styling ------- [](#styling) The extension output is completely unstyled. Feel free to [override](https://stackoverflow.com/questions/39724833/best-way-to-overwrite-a-extension-template)the fluid templates to your needs. Overriding Fluid email templates -------------------------------- [](#overriding-fluid-email-templates) If the email template used for the "change password code" email need to be overridden, this can be changed in `$GLOBALS['TYPO3_CONF_VARS']['MAIL']['templateRootPaths'][750]` or by adding e template override for the `ChangePasswordCode` template. Possible Errors --------------- [](#possible-errors) ### No password hashing service [](#no-password-hashing-service) The extension will not save a user password if it cannot be hashed. If this scenario occurs, the following exception is shown: `No secure password hashing service could be initialized. Please check your TYPO3 system configuration` ### Possible CSRF detected [](#possible-csrf-detected) When the extension detects a possible CSRF, the following message is shown: `Possible CSRF detected. Ensure a valid "changeHmac" is provided.` If you unexpectedly see this message, ensure you add the `changeHmac` property as described in "Breaking Changes" for version 1.5.0 For developers -------------- [](#for-developers) ### PSR-14 events [](#psr-14-events) The extension currently contains the following PSR-14 events: - Derhansen\\FeChangePwd\\Controller\\PasswordController - `AfterPasswordUpdatedEvent` - `ModifyUpdatePasswordResponseEvent` - Derhansen\\FeChangePwd\\Middleware\\ForcePasswordChangeRedirect - `ModifyRedirectUrlParameterEvent` Additionally, the extension also dispatches the TYPO3 core PSR-14 event `TYPO3\CMS\Core\PasswordPolicy\Event\EnrichPasswordValidationContextDataEvent` If additional user data has to be considered for password validation, please use this event to add the data to the `ContextData` DTO. Versions -------- [](#versions) VersionTYPO3PHPSupport/Development6.x14.38.2 - 8.5Features, Bugfixes, Security Updates5.x13.48.2 - 8.5Features, Bugfixes, Security Updates4.x12.48.1 - 8.4Bugfixes, Security Updates3.x11.57.4 - 8.3Security Updates2.x9.5 - 10.47.2 - 7.4Support dropped1.x8.7 - 9.57.0 - 7.3Support droppedReporting a Vulnerability ------------------------- [](#reporting-a-vulnerability) Please report vulnerabilities to . Breaking changes ---------------- [](#breaking-changes) ### Version 5.0.0 [](#version-500) This version contains major breaking changes, which must be migrated manually. The following TypoScript settings must be migrated to site settings: - `plugin.tx_fechangepwd.settings.changePasswordPid` => `fe_change_pwd.changePasswordPid` - `plugin.tx_fechangepwd.settings.redirect.*` => `fe_change_pwd.redirect.*` This change is required, since full TypoScript is not available for cached pages in a PSR-15 MiddleWare. This breaking change limits the plugin to be used once per Site, if the "Must change password" or "Password expiry date" features are used, which both need to redirect to a single page UID, which now is configured in site settings. ### Version 4.0.0 [](#version-400) This version contains major breaking changes, since now the TYPO3 password policy is used for password validation. - All password validators have been removed in favor to TYPO3 password policies. Make sure to check, if the TYPO3 default password policy suits your needs - The pwned password check has been removed. If this check is required, please use TYPO3 extension [add\_pwd\_policy](https://github.com/derhansen/add_pwd_policy) in the password policy for frontend users - The extension now requires the current user password by default. This check can be disabled in settings using `requireCurrentPassword` - The extension requires TYPO3 `security.usePasswordPolicyForFrontendUsers`feature toggle to be active - Dropped TYPO3 11.5 compatibility. ### Version 3.0.0 [](#version-300) - Dropped TYPO3 9.5 and 10.4 compatibility. - Changed file extension for TypoScript files to `.typoscript` - Replaced signal slot with PSR-14 event ### Version 2.0.0 [](#version-200) Dropped TYPO3 8.7 compatibility. ### Version 1.5.0 [](#version-150) **Added CSRF protection.** If you use an own template for "Edit.html", you must add the following code inside `...`. ``` ``` Prior to version 1.5.0, the extension did contain a CSRF vulnerability, if `settings.requireCurrentPassword` was disabled (default). In order to mitigate the issue, the property `changeHmac` has been added to the DTO. This property contains a HMAC, which is unique for the current logged-in user. When the provided `changeHmac` does not match the expected value, an exception is thrown when the form is submitted. Thanks for sponsoring --------------------- [](#thanks-for-sponsoring) - Thanks to [Wikafi sprl](https://www.wikafi.be) for sponsoring the initial development of this extension. - Thanks to [t3site.com](https://www.t3site.com/) for sponsoring the "Require current password" feature. - Thanks to [cron IT GmbH](https://www.cron.eu/) for sponsoring the "Require change password code" feature. ### Health Score 58 — FairBetter than 98% of packages Maintenance70 Regular maintenance activity Popularity39 Limited adoption so far Community16 Small or concentrated contributor base Maturity88 Battle-tested with a long release history Bus Factor1 Top contributor holds 96.5% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~54 days Recently: every ~0 days Total 50 Last Release 134d ago Major Versions 3.2.1 → 4.2.12024-04-02 4.2.1 → 5.0.02024-07-15 4.2.2 → 5.3.02024-10-25 4.3.0 → 5.3.12025-03-16 4.x-dev → 6.0.02026-01-04 PHP version history (3 changes)3.0.0PHP >=7.4 4.0.0PHP >=8.1 5.0.0PHP >=8.2 ### Community Maintainers ![](https://www.gravatar.com/avatar/d52103f3af5442e3cf7f3fb14456dc51f311af529394f0325bcd0a4e8d407947?d=identicon)[derhansen](/maintainers/derhansen) --- Top Contributors [![derhansen](https://avatars.githubusercontent.com/u/2629896?v=4)](https://github.com/derhansen "derhansen (221 commits)")[![tgriessbach](https://avatars.githubusercontent.com/u/11647324?v=4)](https://github.com/tgriessbach "tgriessbach (3 commits)")[![cweiske](https://avatars.githubusercontent.com/u/59036?v=4)](https://github.com/cweiske "cweiske (2 commits)")[![dennismetz](https://avatars.githubusercontent.com/u/17856901?v=4)](https://github.com/dennismetz "dennismetz (2 commits)")[![sebkln](https://avatars.githubusercontent.com/u/13318555?v=4)](https://github.com/sebkln "sebkln (1 commits)") --- Tags extensionhaveibeenpwnedpasswordsecuretypo3extbaseTYPO3 CMSfluidfrontend user passwordforce password change ### Embed Badge ![Health badge](/badges/derhansen-fe-change-pwd/health.svg) ``` [![Health](https://phpackages.com/badges/derhansen-fe-change-pwd/health.svg)](https://phpackages.com/packages/derhansen-fe-change-pwd) ``` ### Alternatives [fluidtypo3/vhs This is a collection of ViewHelpers for performing rendering tasks that are not natively provided by TYPO3's Fluid templating engine. 1954.1M49](/packages/fluidtypo3-vhs)[derhansen/sf_event_mgt Configurable event management and registration extension based on ExtBase and Fluid 64313.9k6](/packages/derhansen-sf-event-mgt)[causal/ig_ldap_sso_auth This extension provides LDAP support for TYPO3 by delegating the authentication of frontend and/or backend users to the centrally-managed directory of your organization. It fully supports OpenLDAP and Active Directory and is capable of connecting securely to the authentication server using either TLS or SSL (ldaps://). In case of use in an intranet environment, this extension is a perfect match since it natively brings Single Sign-On (SSO) capability to TYPO3 without any complex configuration. 33377.4k](/packages/causal-ig-ldap-sso-auth)[typo3-themes/themes TYPO3 THEMES 3642.6k2](/packages/typo3-themes-themes)[derhansen/sf_banners Banner-Management Extension based on Extbase and Fluid. Loads banners asynchronously using JavaScript. 1144.5k](/packages/derhansen-sf-banners)[mfc/oauth2 Generic OAuth2 authentication and authorization for TYPO3 CMS 11290.6k2](/packages/mfc-oauth2) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)