Forgot password logic change

[Alexander Obuhovich]

I propose to change how Forgot Password feature works in In-Portal.

Currently it works this way:

1. user clicks "Forgot Password" link on login page
2. user enters his email or login
3. user presses "Send Password" button
4. user receives email with confirmation link
5. when user clicks on that link, then he is brought to confirmation page
6. when user clicks "Yes" on that confirmation page, then new password is generated and sent to it by email (not too secure)

This way user nees to perform 6 steps to restore his password (he also needs to go to his profile to change it to whatever he want later). Not too user friendly I think.

I propose to simplify this scheme this way:

1. user clicks "Forgot Password" link on login page
2. user enters his email or login
3. user presses "Send Password" button
4. user receives email with confirmation link
5. when user clicks on that link, then he is brought to password change form
6. user enter his new password (2 times) and immediately got logged in

This way user gets his password changed quickly and new password isn't sent by email.

Another issue, when password is send by email is when "Auto-generate User Passwords" option is used (this way user don't enter his password during registration). In this case user gets his password after registration by email.

I propose to send "forgot password" like link to his email and then he can change his password to what ever he wants.

--
Best Regards,

http://www.in-portal.com
http://www.alex-time.com

[Phil -- wbtc.fr --]

I vote YES :-)

2010/12/5 Alexander Obuhovich <aik....@gmail.com>

[Dmitry Andrejev]

I like the idea, but are you proposing to completely remove the code for auto-password generation?

DA

--

Best regards,

Dmitry A.

[Alexander Obuhovich]

Of course, since there is no need to generate password, when user will be entering it anyway to be able to login.

If you is not aware about security issues related to weak password, then password weakness indicator (as I've already written before) will help.

If user won't be able to use google search to find online password generator, then we could create one in javascript for it.

[Dmitry A.]

Hi,

Actually, I think we are still have option for Auto-Generating password during User Registration.

This means we can remove that functionality from Forgot Password, but still need to keep the ability to auto-generate passwords (makepassword4 method in globals.php) when needed (ie. User Registration). This was exactly the reason I have asked that question in my prev. post.

DA

[Alexander Obuhovich]

It will be site administrator's problem then if someone captures that email.

I think, that we should add hint to that option in configuration, where something like "Will send non-encrypted password via email to user".

[Dmitry A.]

Agreed on the Hint so let's make it part of this task.

Are we ready for one? Anyone wants to add anything else here?

DA

[Phil -- wbtc.fr --]

nope

2010/12/12 Dmitry A. <dand...@gmail.com>:

[Alexander Obuhovich]

Yes, go on. Please create a task.

Please don't add anything to the task, which is not a part of this discussion (e.g. what you might seem to be related, but not discussed here).

[Dmitry A.]

Here is task:

948: Change in "Forgot Password" logic

http://tracker.in-portal.org/view.php?id=948

NOTE: sure where to put it - in Front-End or Security category in the Bug Tracker.

DA

[Alexander Obuhovich]

I've fixed some minor issues in task, like:

• sending passwords by email is secure
• none encrypted passwords will be sent by email

[Dmitry A.]

Thanks for looking over Alex!