Quote Originally Posted by DrByte View Post
2 Questions:
1. But ... why do they need to know "when they last changed it"?
2. You said "must be changed within 90 days". But, that's not correct. The system will auto-prompt them to set new password after 90 days is up. It won't suddenly "lock them out because they forgot to change it in time".

The sites where I've seen this mod installed make the admin home screen seem like there will be sudden doom if they don't pay careful attention to changing their password "in the nick of time". But that's the wrong concept. Passwords are tough enough to manage without creating alarm and fear of getting locked out because they weren't watching the calendar.

Other than dropping PCI rules altogether, how can the system be changed so that there's no need for this plugin?
1) I modeled this plugin after a similar display that one of my banks uses. They, too, have a "change your password every 90 days" requirement and I've found it useful (I log into the account once a week) to "know" that I'm going to need to have a new password ready for next week's login (kind of a heads-up).
2) The wording (and I've not reviewed the plugin's readme ) was based on my initial reading at the introduction of the feature in ZC v1.5.0 (about 3 years ago). When installed, the plugin adds 2 items to the header, indicating the date the password was last changed and the IP address of the last login using their account -- I'm missing the doom and gloom there.