When a user re-sets a password, the system sends an email with the new password. I think, the system should still allow the user to keep using his old password (incase he remembers it or finds it somewhere etc) and the new password should come into effect only once the user clicks the link in the email and then onwards he should be using the new password.
Here's the usecases -
1. A user re-sets a password and the email is sent with the new password. For some reason the email got lost due to hosting issues or email provider issues. And the user is locked out of site until he/she gets the email.
2. In some cases, people know their friend's email addresses and they may reset other people's passwords for fun, causing trouble for the owner of that account.
I think this should be added as an enhancement and improved in the next version if not this version.
Thanks
Mick
|
Understandable Mickscool, but I believe the password gets reset as soon as the user clicks the "Forgot Password"" link.
If for some reason the user does not get the email due to host issues, they can always click it again. OR you as the admin can change the password for them through the Admin Panel>Members, then click the Username of the member. This will take you to their profile where you can change it for them,
OF course they would need to know your email address in case they cant login.
Nothing to see here |
Understandable Mickscool, but I believe the password gets reset as soon as the user clicks the "Forgot Password"" link.
If for some reason the user does not get the email due to host issues, they can always click it again. OR you as the admin can change the password for them through the Admin Panel>Members, then click the Username of the member. This will take you to their profile where you can change it for them,
OF course they would need to know your email address in case they cant login.
Yeah but what's wrong with keeping the old password intact as long as the user does not clicks the link in the email to use the new password? This will be more secure and spam-free... I have seen some softwares like vbulletin work this way and it's work out pretty good :)
|
2. In some cases, people know their friend's email addresses and they may reset other people's passwords for fun, causing trouble for the owner of that account.
I think this is an incredible problem and is so underrated! is incredible
|
This absolutely needs to be addressed. You can not just reset the password of a member just because someone entered their email address.
I find this to be a HUGE risk because... what if someone does that to the admin accounts?
The email sent to the user's MUST have a link that they need to CONFIRM, BEFORE any password changes.
I can't believe this was reported YEARS ago with no improvement. shame on you!!!
|
I've never noticed this before! Ouch, in the database there is only a place for one password.
Be nice to see something change here, like login. You can use your member ID number, i.e. Admin would be user 1, or the user name "newton27" or the email address used to sign up. I don't think most know you can use all three without any changes.
Can this be done with passwords, like a default pass or back door way in.
ManOfTeal.COM a Proud UNA site, six years running strong! |
You would not want a second back door password. Should not be done that way.
Basically the way it should work is this.
1) Click the forgot password button.
2) Email is sent with a link they must click on to confirm the email was received.
3) The link in the email brings them to the site, and the password is changed there.
As it is now, the password is changed when the forgot password is clicked and a new password is sent to their email.
The draw back to this is anyone who knows your email address can reset your password. A new password is sent to the actual owner of the account. This is not a security risk, just a nuisance as the one who reset it is not the one who will receive the new password. So saying it is a HUGE risk is a bit over stated. It more like a HUGE headache.
https://www.deanbassett.com |
I agree, you could really kill a site!!! This is a MAJOR thing.
Deano, that is really what I meant.. thanks.
The link should go back to site to confirm the password change.
I'm glad members of Dolphin sites don't read these forums.
Now this is making want to go in and change all my admin email address's to a totally new unknown email address!!!
ManOfTeal.COM a Proud UNA site, six years running strong! |
So you play this out...
i.e. My site's contact email is all over the site, being a new Dolphin site owner, I use that mail for admin.
Here comes a person that knows Dolphin, sees and email address and submits that as theirs.
The admin is immediately locked out of the site and would have to catch that mail in their in box.
HUGE headache is right!
ManOfTeal.COM a Proud UNA site, six years running strong! |
right, I should have used nuisance, since it's still your email that the pass gets sent to. The process they put in place is so old and outdate, it just needs to be improved.
My previous hosting company had this as the process for the control panel access. They also had in place, password complexity and history. So one of my bone head clients went there and put in my email for some reason and boom, my password was RESET. not only that, I couldn't use my old password anymore and had to come up with new passwords lol... anyway... it's a pain and they should stop... at least you can reset it to your old pass :)
to this day... I don't know my pass there... I have to get it re-set each time as I can't use anything I can remember anymore since I locked it a couple time since that first change,
|
I wonder if down under will read this today? ManOfTeal.COM a Proud UNA site, six years running strong! |
I am able to log in my Dolphin 7.1B1 website as an admin, but I am not able to log in with my regular user name.
I clicked the "Forgot Password" link. Followed the link from my email inbox and entered the password, but was still unsuccessful at logging in.
I then logged back in as an Admin and went to the member section, entered in the new password in the member profile, and clicked save.
Logged out and attempted to log back in as the user, but was still unsuccessful.
Anyone have any ideas on how to actually reset the password or what might be going on to have locked the user out if their profile is still activated?
I wondered if this had anything to do with changing the display name from "Username" to "First Name+Last Name"?
Any thoughts?
|
I wonder if they'll ever read it...
I wonder if down under will read this today?
|
If you are able to login under admin, but not under regular user - then it maybe you have blocked every user, most common reason of this is enabled zomgbl.spameatingmonkey.net. chain in Dolphin Admin Panel -> Tools -> Antispam.
I am able to log in my Dolphin 7.1B1 website as an admin, but I am not able to log in with my regular user name.
I clicked the "Forgot Password" link. Followed the link from my email inbox and entered the password, but was still unsuccessful at logging in.
I then logged back in as an Admin and went to the member section, entered in the new password in the member profile, and clicked save.
Logged out and attempted to log back in as the user, but was still unsuccessful.
Anyone have any ideas on how to actually reset the password or what might be going on to have locked the user out if their profile is still activated?
I wondered if this had anything to do with changing the display name from "Username" to "First Name+Last Name"?
Any thoughts?
Rules → http://www.boonex.com/terms |
AlexT,
You pinpointed my problem exactly. The issue is now corrected.
Thank you for reaching out with the answer!
If you are able to login under admin, but not under regular user - then it maybe you have blocked every user, most common reason of this is enabled zomgbl.spameatingmonkey.net. chain in Dolphin Admin Panel -> Tools -> Antispam.
I am able to log in my Dolphin 7.1B1 website as an admin, but I am not able to log in with my regular user name.
I clicked the "Forgot Password" link. Followed the link from my email inbox and entered the password, but was still unsuccessful at logging in.
I then logged back in as an Admin and went to the member section, entered in the new password in the member profile, and clicked save.
Logged out and attempted to log back in as the user, but was still unsuccessful.
Anyone have any ideas on how to actually reset the password or what might be going on to have locked the user out if their profile is still activated?
I wondered if this had anything to do with changing the display name from "Username" to "First Name+Last Name"?
Any thoughts?
|