[wp-trac] [WordPress Trac] #34281: Allow admins to send users a 'Reset Password' link
WordPress Trac
noreply at wordpress.org
Mon Feb 22 22:09:46 UTC 2021
#34281: Allow admins to send users a 'Reset Password' link
-------------------------------------------------+-------------------------
Reporter: Ipstenu | Owner:
| adamsilverstein
Type: task (blessed) | Status: reopened
Priority: normal | Milestone: 5.7
Component: Users | Version: 4.4
Severity: normal | Resolution:
Keywords: has-screenshots has-ux-feedback | Focuses:
has-patch has-dev-note | javascript, privacy
-------------------------------------------------+-------------------------
Comment (by gmariani405):
@audrasjb "Remove the IP Address from Admin generated password reset"
Not sure this is great idea either. The IP address (while fraught with
privacy concerns) is the only thing validating that this email came from
the website and is not a phishing email. Unless there is a better way to
validate the authenticity of the email I'd say it would be worthwhile to
keep it.
Scenario, user asks host or web designer for help. The host/web designer
goes in and resets their password. User receives both the legitimate mail
and by chance a phishing email. Both would look indistinguishable. The IP
helps distinguish it as legitimate.
I realize it's not fool-proof, a savvy enough bad-actor could DNS lookup
the IP before sending the phishing email but that is more labor intensive
when you're mass-mailing. This also relies on the end-user being skilled
enough to validate the website domain against what was displayed in the
email, but I say to that, at-least it's better than nothing.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/34281#comment:113>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list