[wp-trac] [WordPress Trac] #38915: Improvements to password reset
WordPress Trac
noreply at wordpress.org
Wed Nov 23 14:37:47 UTC 2016
#38915: Improvements to password reset
-------------------------+-----------------------------
Reporter: tomdxw | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version: 4.6.1
Severity: normal | Keywords:
Focuses: |
-------------------------+-----------------------------
When creating a user, an admin can leave the password unset and the user
will be sent a link with which they can set their password.
This option does not exist when a user account already exists. The
administrator can set the user's password to a random string generated by
WordPress and email that to the user, or set the password to a string of
their choosing and email that to the user.
Either way it's not ideal. There's always a risk the user will not change
their password even after they've been told to - then there will be
plaintext copies of the password which could be obtained (this could be an
issue if the attacker is able to exploit a vulnerability in the email
servers, but not the site itself).
The administrator should be able to force a user to reset their password
in the same manner as when a user account is created. There should be a
button on the user's profile page which disables the user's current
password and emails a link to the user which the user can use to reset
their own password.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/38915>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list