> When you see that the password is about to expire in 0 day, do you
> really think that saying it will expire in 12h30m42s will encourage the
> user to change it now? If he don't do that in the previous days he will
> probably not do it in the hour too. Quite useless IMO but if there more
> vote to have HH:MM why not.
My concern with this is mainly the relation with the 2 threads I
linked. The password expiration patch disconnects users after their
password expires, opposed to the current behavior of letting existing
connections to continue - which I think is a quite useful security
improvement. And with that, the exact expiration time, maybe even
periodic reminders while the connection is active are way more useful.
("Your password is only valid for 2 more hours, please don't forget
this or you will be disconnected" ... "Now you only have 15 minutes,
last chance to fix it")
This is why I think something that could make periodic reminders, not
only one reminder during when the client connects, could be useful.
Even if not GoAway itself, maybe something similar to it? I mainly
linked these because I think the goal/problem is similar, and while
both patches look good separately, the user experience could use some
improvements if both get merged. (Another related discussion in the
password expiration thread is oauth token expiration checks, which
could use similar "Your token expired, you have X more minutes or you
will be disconnected" messages)
