[wp-trac] [WordPress Trac] #24633: Allow admins to generate and send new passwords for users

WordPress Trac noreply at wordpress.org
Mon Jun 2 07:19:54 UTC 2014


#24633: Allow admins to generate and send new passwords for users
-------------------------------------+-----------------------------
 Reporter:  mordauk                  |       Owner:
     Type:  task (blessed)           |      Status:  new
 Priority:  normal                   |   Milestone:  4.0
Component:  Users                    |     Version:
 Severity:  normal                   |  Resolution:
 Keywords:  has-patch needs-testing  |     Focuses:  administration
-------------------------------------+-----------------------------

Comment (by knutsp):

 I think passwords should not be sent via email at all. Send a link to the
 password reset form, as when the lost password form is used.

 At least passwords should no be sent from sites with a secure admin
 (https).

 If WordPress has sent a password via email there should be a nag, at
 least, as when the initial password is not changed yet. This is not very
 user friendly since the user must use two passwords, first the generated
 one and then the changed one.

 And a nag that is just ignored for long time doesn't make the password
 invalid.

 Emails can be intercepted, as can http. But emails are usually stored for
 years, and if they are exposed by accident, an old password may still be
 valid. One may argue that if an email client is exposed or an account is
 hacked, then a wrong person may change the password. Such change may be
 detected by the owner and legitimately changed. But a leaked, working
 password is worse, since no one might even get suspicious.

 But enhancement proposed in this ticket will make WordPress a little bit
 easy to use, especially for the admin, but far from more secure, and a bit
 less user friendly for the non-admin (being nagged instead of changing the
 password once and securely).

 The existence of the nag itself indicates that sending passwords via email
 is not regarded a secure practice.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/24633#comment:35>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list