[wp-trac] [WordPress Trac] #34281: Allow admins to send users a 'Reset Password' link
WordPress Trac
noreply at wordpress.org
Tue Feb 23 00:28:27 UTC 2021
#34281: Allow admins to send users a 'Reset Password' link
-------------------------------------------------+-------------------------
Reporter: Ipstenu | Owner:
| adamsilverstein
Type: task (blessed) | Status: reopened
Priority: normal | Milestone: 5.7
Component: Users | Version: 4.4
Severity: normal | Resolution:
Keywords: has-screenshots has-ux-feedback | Focuses:
has-patch has-dev-note | javascript, privacy
-------------------------------------------------+-------------------------
Comment (by Ipstenu):
> The IP address (while fraught with privacy concerns) is the only thing
validating that this email came from the website and is not a phishing
email.
It is though? I could use my phone to send a reset, and I would have no
idea what my IP was. And that can easily be faked. Omitting the IP
actually reduces the data being sent out that could be used by bad-actors.
I think it's more likely we'd have a savvy bad actor than end users who
would need to ask for a password reset but also know what a valid IP is
and how to ask about it.
Not that we shouldn't look into something like logging or 'proving' ...
off the top of my head, if when we use the password reset, it sets a key
in the user's account, and the user has to enter that key to reset the
password? That could work.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/34281#comment:114>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list