[wp-trac] [WordPress Trac] #24633: Allow admins to generate and send new passwords for users
WordPress Trac
noreply at wordpress.org
Mon Jun 2 16:53:20 UTC 2014
#24633: Allow admins to generate and send new passwords for users
-------------------------------------+-----------------------------
Reporter: mordauk | Owner:
Type: task (blessed) | Status: new
Priority: normal | Milestone: 4.0
Component: Users | Version:
Severity: normal | Resolution:
Keywords: has-patch needs-testing | Focuses: administration
-------------------------------------+-----------------------------
Comment (by ryanduff):
Replying to [comment:35 knutsp]:
> I think passwords should not be sent via email at all. Send a link to
the password reset form, as when the lost password form is used.
>
> At least passwords should no be sent from sites with a secure admin
(https).
>
> If WordPress has sent a password via email there should be a nag, at
least, as when the initial password is not changed yet. This is not very
user friendly since the user must use two passwords, first the generated
one and then the changed one.
>
> And a nag that is just ignored for long time doesn't make the password
invalid.
Was talking about this today at BeachPress and just bouncing ideas. One
thing that sounded better from a security standpoint was to flag the
account and force a reset.
Most of the plugins, and the manual way to do it is just reset the
password for the user but not send via email. That way they need to
request a password reset so they get the link to reset it themselves.
Downside is that in theory they can just reset their new password to the
same as the old password.
If we added a user meta flag that their account was locked or due for a
password reset, we could compare the hash of the new password to what's
currently in the database and force them to set a different password.
Probably candidate for discussion in a new ticket rather than here.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/24633#comment:36>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list