[wp-trac] [WordPress Trac] #24633: Allow admins to generate and send new passwords for users
WordPress Trac
noreply at wordpress.org
Mon Jun 2 07:19:54 UTC 2014
#24633: Allow admins to generate and send new passwords for users
-------------------------------------+-----------------------------
Reporter: mordauk | Owner:
Type: task (blessed) | Status: new
Priority: normal | Milestone: 4.0
Component: Users | Version:
Severity: normal | Resolution:
Keywords: has-patch needs-testing | Focuses: administration
-------------------------------------+-----------------------------
Comment (by knutsp):
I think passwords should not be sent via email at all. Send a link to the
password reset form, as when the lost password form is used.
At least passwords should no be sent from sites with a secure admin
(https).
If WordPress has sent a password via email there should be a nag, at
least, as when the initial password is not changed yet. This is not very
user friendly since the user must use two passwords, first the generated
one and then the changed one.
And a nag that is just ignored for long time doesn't make the password
invalid.
Emails can be intercepted, as can http. But emails are usually stored for
years, and if they are exposed by accident, an old password may still be
valid. One may argue that if an email client is exposed or an account is
hacked, then a wrong person may change the password. Such change may be
detected by the owner and legitimately changed. But a leaked, working
password is worse, since no one might even get suspicious.
But enhancement proposed in this ticket will make WordPress a little bit
easy to use, especially for the admin, but far from more secure, and a bit
less user friendly for the non-admin (being nagged instead of changing the
password once and securely).
The existence of the nag itself indicates that sending passwords via email
is not regarded a secure practice.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/24633#comment:35>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list