View Issue Details

IDProjectCategoryView StatusLast Update
0002304Composrcore_cnspublic2020-03-28 02:38
ReporterChris GrahamAssigned ToChris Graham 
Status resolvedResolutionfixed 
Product Version 
Fixed in Version 
Summary0002304: Greater password reset flexibility
DescriptionDifferent sites want different complexities. We range from a situation of a non-important site that is accessed by people on fiddly smartphones who don't even know how to use computers properly, to a very high-security enterprise extranet.

Implement 3 config options, replacing current password reset options:
 - List, New password comes from (*): randomly generated and shown in 1st e-mail [**], user [after link clicked from 1st e-mail], randomly generated and shown after link clicked from 1st e-mail, randomly generated and sent in 2nd e-mail
 - Checkbox, Ultra reset security, The 1st e-mail actually doesn't include a link, it just includes a raw reset code/password, with an obfuscated from name. The user has to know what it is to use it.
 - Checkbox, New password assigned is temporary only and must be changed when logging in (only applies if "user" wasn't selected for "new password comes from")
 - Integer, How long reset codes last for in minutes
 - Checkbox, Reset codes are numeric (numeric is easier to type, especially on a smartphone - but less secure for brute force cracking)

* In increasing order of security
** In this case the password reset code also works as a login password. When you log in using it, the system recognises this situation, and copies it to your password, making the password reset code null again.
TagsRoadmap: v11, Type: Security
Attach Tags
Time estimation (hours)8
Sponsorship open


related to 0001684 non-assigned Security Questions for password resets 
related to 0003024 resolvedChris Graham Lost-password form privacy (and assorted discussed ideas) 


Patrick Schmalstig

2016-03-22 06:11

administrator   ~0003471

Curious. What about implementing security questions for password reset?

Chris Graham

2016-03-22 12:58

administrator   ~0003473

See 0001684

Chris Graham

2020-03-28 01:48

administrator   ~0006493

There's a lot of overlap in here with stuff already-done with the "Password reset process" option (maybe that option was inspired by this issue and I forgot to comment), and a fair amount of over-complexity. I like what we currently do. For example, there's no real reason to give the webmaster the choice between an emailed temporary password and having the confirmation link ask them to choose a new password immediately.

I don't see a reason to have numeric confirmation codes. Already it's a link to click that includes the code, unless the user has an awful email client - which I've never seen.

"Integer, How long reset codes last for in minutes" is important, and I will implement for v11 and then mark this issue resolved.

Issue History

Date Modified Username Field Change
2016-03-16 16:16 Chris Graham New Issue
2016-03-22 06:11 Patrick Schmalstig Note Added: 0003471
2016-03-22 12:58 Chris Graham Note Added: 0003473
2019-06-27 01:50 Chris Graham Relationship added related to 0001684
2019-06-27 01:50 Chris Graham Tag Attached: Type: Security
2020-03-28 01:44 Chris Graham Relationship added related to 0003024
2020-03-28 01:45 Chris Graham Tag Attached: Roadmap: v11
2020-03-28 01:48 Chris Graham Note Added: 0006493
2020-03-28 02:38 Chris Graham Assigned To => Chris Graham
2020-03-28 02:38 Chris Graham Status non-assigned => resolved
2020-03-28 02:38 Chris Graham Resolution open => fixed