17452 Posts in 4473 Topics by 1971 members
Page: 1 2
|Go to End||Next >|
17 July 2007 at 4:10am Last edited: 17 July 2007 4:11am
As already mentioned in my post on Friday the "I've lost my password" feature doesn't work anymore as expected since passwords can now be encrypted.
There are now in principle two possible solutions:
1.) Assign a new password to the account which is then mailed to the specified email address.
2.) Send a so called auto login hash which is a special URL that logs you automatically in without entering a password. The user can change the password then as he likes.
The downside of solution 1 is that someone can change the passwords for all accounts for which he knows the email address and people won't understand we their usual credentials doesn't work anymore unless they read their mails.
Solution 2 (which is the one I would prefer) is a little more complicate for the user he has to change the password himself but I think there are no other problems with this approach.
What do you think? Which of the two solutions should be implemented?
I would implement it in a way that the function works the same way as now for clear text passwords and sends a auto login hash for encrypted passwords (the auto login hash works only until the next successful login).
Google Summer of Code Hacker
17 July 2007 at 5:19am
i prefer option 1 with a method to circumvent the problem you mentioned of having the credentials changed without the user knowing
it is a combination of the two options actually, when the lost password email is entered, an email with a unique key is sent to the address, and when they click the link, a new password is emailed to them or they are taken to a confirmation or change password page
it is similar to option 2, but i guess i would say they are not authenticated until they use the new password
17 July 2007 at 8:49pm
Solution 2 is good, as long as it shows the user a change password form straight away - like, the system shouldn't wait for them to go to a change password form themselves.
As well as the benefit you mentioned, this also means that users choose their own passwords, rather than being given passwords that they'll forget.
Core Development Team
17 July 2007 at 9:49pm
My vote is for solution2
18 July 2007 at 1:13am
OK, so I think we agree on solution 2.
I'll implement it in the following way:
1. Click on "I've lost my password"
2. The user enters his email address and clicks on "Reset my password" (maybe some other label??)
3. The system sends the auto login hash to the user (also to users with clear text password - the user forgot it already once, so there is no need to use it again).
4. The user clicks on the link and gets to a form where he enters his password and clicks on "Change my password".
5. The system shows the message "Your password was successful changed and you can use it now to log in". (the user will not be automatically logged in because we don't know where we should redirect him - forum, /admin, ...)
Is this OK? If so I'll start with the implementation.
What's the best way to implement the change password form so that it can be easily reused?
19 July 2007 at 2:37am
OK, it's implemented now (in r38919).
There are some (cosmetically) things that should be fixed, but everything work as it should.
I will fix those things after my vacation.
Could you all please test this new feature and if there are problems add them to the ticket.
Thanks a lot
23 November 2007 at 1:21pm Last edited: 23 November 2007 1:22pm
Hi I'm having trouble retrieving my password. I do the usual Lost Password and it send an email to the specified email address, however when I click the link I get the following error message:
Change your password
The password reset link is invalid or expired.
You can request a new one here or change your password after you logged in.
I tried requesting new passwords a couple of times (all with different hashes), and repeatedly the same error message appears.
Any help/advice would be appreciated.
23 November 2007 at 10:24pm
To what system are you trying to receive a password for?
Obviously not this forum, since you can post messages ;)
Page: 1 2
|Go to Top||Next >|