PDA

View Full Version : Resend a users password without resetting it to a new one


perfphysio
08-04-2007, 07:42 AM
Hi All,

It seems that every time a user requests a password reminder form my forum they actually get a password reset email. This is a laborious way to restore their password to what they thought it was.

I just want them to be sent their actual password in the email. Is this possible? Am I missing something?

I notice when looking up a user in admin that the password field is blank. Perhaps this is some of the issue here. Maybe I have not checked a setting somewhere as I should at least get representation of a password with a ****** in that box. I can usually the view the via the source code to assist them without a reset.

Any help is really appreciated

Thanks :)

Marco van Herwaarden
08-04-2007, 07:56 AM
This is a laborious way to restore their password to what they thought it was.

If it was what they thought it was......they would not need a password mailed to them.

Anyway, what you want is not possible as the password is only stored as a hash (1-way encryption). The unencrypted password is not stored anywhere, or even ever sent to the server.

perfphysio
09-08-2007, 10:06 AM
If it was what they thought it was......they would not need a password mailed to them.

Anyway, what you want is not possible as the password is only stored as a hash (1-way encryption). The unencrypted password is not stored anywhere, or even ever sent to the server.OK, well this is pretty darn stupid. On every site I am a member if I forget my password then it is simply resent to the registered email address. It is very strange that this is not the case with vbulletin.

The current logic of resetting the password sends the user through all sorts of hoops that could be avoided with a simple resend of their stored one. Perhaps there is a mod to store them in another way rather than the way you have described.

To have to be resent a temp one, then cut and past it, then login with it, then update it in the usercp to the one they want, only to perhaps forget it again in the future and have to do the whole thing again is ridiculous.

Can someone help with a mod to make this do what the link says - resend the forgotten password (not reset it)?

cheers :mad:

Opserty
09-08-2007, 11:11 AM
The whole point of the loops are there to stop people from accessing it who shouldn't be.

All good pieces of Internet software will NEVER send you your password directly in an email. Not only is it not sercure to save a plain text password in the database (say for example you give another admin access to your site, they can run a simple mysql to fetch all the password of the users and then maybe test them out with their email accounts to see if some users use the same password for both. If they do...voi-la they have access to users email accounts. Its unlikely but its an example of what can go wrong.

On the other end: say a someone (A) gains access to a users (B) email account, maybe they guessed their secret question, if B has archived their activation email in their inbox then (A) can see they have signed-up to your site, so they come to your site clicks the forgotten password link and an email is dispatched to inbox of B and A can read it...now they have a password they can go try it on all the sites they can see in the B's inbox. If they are "un-intelligent" enough to sign up to a site that stores passwords in plain text then they probably use they same password for everywhere else they are signed up to.

Both are rare situations but they are both plausible. From a personal point of view I would sign up to a site that has my password stored in plain text. (I test anything thats not vB for I add details :p)

There are probably more reasons too but those a just some quick ones I knocked together.

Paul M
09-08-2007, 12:39 PM
OK, well this is pretty darn stupid. On every site I am a member if I forget my password then it is simply resent to the registered email address. It is very strange that this is not the case with vbulletin.

Storing plain text paswords in a database is about the stupidist thing you can ever do.

What are all these sites you refer to ? because all the major forum software encrypts passwords (not just vbulletin).


Can someone help with a mod to make this do what the link says - resend the forgotten password (not reset it)?

No one can do this, as was made clear, the password is not stored anywhere.

nexialys
09-08-2007, 12:50 PM
actually Paul is wrong... in one way.

there is a capability to tweak the registration process to be able to save the original password without crypting it, and then your new users would be able to retreive their password the way you want it to be...

the problem with that tweak is that it would apply only to the new registered or the ones who renew their password.

and your comment about "pretty darn stupid" ... not correct. vBulletin is not "any website just for the fun of it"... if you are registered to yahoo or msn or hotmail, you can't retrieve your password either.. you have to follow the exact same process as on vBulletin.. .require a new password and click a link in the email sent so you have a new activation to do...

maybe you are refering to the old sites without any security you are visiting... but any commercial website now have solid encryption due to piracy and spam.

Paul M
09-08-2007, 01:02 PM
actually Paul is wrong... in one way.

there is a capability to tweak the registration process to be able to save the original password without crypting it, and then your new users would be able to retreive their password the way you want it to be...

Your confusing the issue somewhat - they seem to want to do it with existing users, you cannot do that as the database only has the hash stored.

Also, I don't believe there is an actual option to change the password encryption for new registrations (or resets), you would need to make code modifications (a very bad idea).

perfphysio
09-08-2007, 01:27 PM
Personally I don't just see why you can't encrypt it on the way in and also on the way out as a reminder. After all these are forums, not CIA top secret files.

p.s. I don't mean to be sarcastic but this is the only site I have ever found that doesn't let me retrieve my password, or at least sends me a link to set a new one, rather than sending a temporary one which i then have to log in, which i then have to remember to wrtie in the original password box before I then have to update it. Way to long a process and way to unfriendly to a user.

Very secure though I agree :o

Marco van Herwaarden
09-08-2007, 01:40 PM
Personally I don't just see why you can't encrypt it on the way in and also on the way out as a reminder.
Not sure what you mean with "on the way out".

Passwords are not encrypted, but hashed. The big difference is that encryption is a 2-way process (plain->encrypted->plain) and hashing is a 1-way process (you can not decrypt a hashed value). Also the password is already hashed at the client-side and the unencrypted password is never send over the networ/internet or received by the server.