Password Retrieval options for customers

[tonedoggydogg]

As a hosting company, we are accumulating support tickets for simple password reset requests. This is a function that should be automated as it was before.

Is there a way to automate the password reset/retrieval feature for our hosting customers?

It used to be in some sort of /resetpass/ folder. This has apparently been removed since more recent cPanel releases.

Thanks.

[cPanelDavidG]

As a hosting company, we are accumulating support tickets for simple password reset requests. This is a function that should be automated as it was before.

Is there a way to automate the password reset/retrieval feature for our hosting customers?

It used to be in some sort of /resetpass/ folder. This has apparently been removed since more recent cPanel releases.

Thanks.

In WHM -> Server Configuration -> Tweak Settings -> System is Allow cPanel users to reset their password via email checked?

[tonedoggydogg]

In WHM -> Server Configuration -> Tweak Settings -> System is Allow cPanel users to reset their password via email checked?

No it wasn't checked. Thanks for the tip.

[aarmstrong]

In WHM -> Server Configuration -> Tweak Settings -> System is Allow cPanel users to reset their password via email checked?

This is an awesome feature for the host administrator but where is this nifty feature for the lowly email users? Is there a way to allow the email users to reset their passwords? This is where 90% of my tech support requests come from.

[cPanelDavidG]

This is an awesome feature for the host administrator but where is this nifty feature for the lowly email users? Is there a way to allow the email users to reset their passwords? This is where 90% of my tech support requests come from.

Where would the password be emailed in this scenario? Email accounts aren't created with a backup email address to send such information (unlike a cPanel account).

Generally individual cPanel hosting account owners should be the ones changing the passwords for their mail accounts, not the Sysadmin/Web Hosting Provider.

[aarmstrong]

How about to the email address that wants the password changed. I have used plenty of systems that allow me to reset my password that send me a temporary password or a confirmation link to reset it to a temporary password which is then emailed to me. I prefer the confirmation link since there is the obvious abuse that a non authorized user clicks reset on my email and it resets it and sends me the new one while breaking any automated email fetching I have going.

In a "perfect world" the host admin would change this but I live in the real world where many host admins could not admin their way out of a paper sack so dealing with the cpanel interface is out of the question. For these accounts which seem to make up a good percentage of my customers it is left up to the provider to deal with these issues.

I am also very aware that if they don't know their password they cannot check their email but this is not always the case. Many of my clients have the email password saved in their client but want to access webmail and do not know the password thus calling me to reset it.

[Metro2]

In WHM -> Server Configuration -> Tweak Settings -> System is Allow cPanel users to reset their password via email checked?

Just out of curiosity - enabling this used to be considered a security issue. Did something change and is it no longer seen as such?

[cPanelDavidG]

Just out of curiosity - enabling this used to be considered a security issue. Did something change and is it no longer seen as such?

Sending a password in plain text is generally not such a great idea in terms of security. Email should be considered plain text as soon as it traverses to another server or isn't checked using SSL. Hence this is disabled by default. However, many customers desire this functionality and deem this an acceptable risk - hence it is a tweak setting.

[tuxfan]

I read lots of links considering this feature as a security risk. But all were pretty old.

Besides this one risk (sending plain text passwords), is there ANY OTHER risk involved?

[electric]

When are we going to see the ability to reset a cpanel account password by using the API? I still can't believe such a basic function is not available.

[cpanelnick]

Sending a password in plain text is generally not such a great idea in terms of security. Email should be considered plain text as soon as it traverses to another server or isn't checked using SSL. Hence this is disabled by default. However, many customers desire this functionality and deem this an acceptable risk - hence it is a tweak setting.

Actually it just resets the password to something brand new and it only shown in the web interface. The security of the feature has had a significant upgrade in recent versions.

[Solokron]

Where is that email file located? I am noticing missing images in the header all over and would like to make changes.

*To clarify, I am referring to the email that is sent. How to change its header contents etc.

Thank you!

Actually it just resets the password to something brand new and it only shown in the web interface. The security of the feature has had a significant upgrade in recent versions.

[Solokron]

So it looks like it is coming from the encrypted file @ /usr/local/cpanel/base/resetpass.cgi

I found it pulls from unprotected/theme/header.html and footer.html

The problem I am finding with the coding is the SSL Reset Link: links to the domain via https:// which naturally results in an SSL Secure Connection Failed in all the newer browsers. We need an option to switch this to the hostname of the server or disable the https:// link altogether.