Koha Question of the Week: Can I Enforce a Password Reset on First Login for a Staff Account?

by Hebah Amin-Headley on Mar 31, 2023

Each Friday, we will bring you a new Koha Question of the Week. We will select real questions that we receive and share the answers with you!

Question: Can I Enforce a Password Reset on First Login for a Staff Account?

Answer: Enforcing a password reset for new Koha staff accounts is simple with the new password expiration functionality introduced in 22.05.

While you do have the option to require staff accounts to expire at predetermined intervals at the patron category level, the ability to manually expire a password can be used on individual account as a one-time tool for new staff accounts.

Once you have created a new account with staff permissions in Koha and a pre-generated password that can be conveyed securely to the new employee, head over to the Library Use portion of the account, and edit to modify the password expiration date to a date that has already passed.

What the user will see next hinges on some system preferences. Either path forward begins with a warning box that the account is expired, with a link to reset.

One possibility is to set the EnableExpiredPasswordReset system preference to "Enable the ability for patrons to directly reset their password when it is expired. If not enabled patrons must either use the 'Forgot your password' feature or have staff reset their password."

If this preference is enabled, the user is directed to the OPAC update password landing page, where they will need to enter their user name or card number, expired password, and new one. Once it has been successfully reset, they will have buttons to go to the OPAC or their staff account with the new credentials.

If EnableExpiredPasswordReset is not enabled but OpacResetPassword is, they will also see the expired account warning and be redirected to the OPAC update password page. There, they will reset their password like a patron would, entering their user name and email associated with the account. A password reset email will be sent to that email, and they can reset from there.

Once the password has been reset, the password expiration field will revert to its default behavior. If the patron category is set to automatically expire passwords, a new expiration date will set based on the category default, but if the patron category does not enforce password expirations, the password expiration date will return to 'Never.'

Additional Resources

Koha Question of the Week: How Do You Create a Staff Patron in Koha?

Monday Minutes: All Things Password Related

Passwords 101: A Show and Tell Adventure