The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Allow cPanel users to reset their password via email

Discussion in 'E-mail Discussions' started by ghv, Feb 9, 2004.

  1. ghv

    ghv Well-Known Member

    Joined:
    Oct 18, 2003
    Messages:
    53
    Likes Received:
    0
    Trophy Points:
    6
    Just noticed this under "tweak settings".

    Anyone know more about it?

    How's it done?
     
  2. perfectsquare

    perfectsquare Active Member

    Joined:
    Sep 11, 2002
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    6
    If you try to login to CPanel now, and do not put the proper user/pass in, it gives you a screen that allows you to reset your password and have it sent to the "contact email" for that user in CPanel.

    Try it yourself.

    I didn't see that you could disable that in WHM until you mentioned it. Thanks.
     
  3. mr.wonderful

    mr.wonderful BANNED

    Joined:
    Feb 1, 2004
    Messages:
    345
    Likes Received:
    0
    Trophy Points:
    0
    I completely disabled this option. Anyone can go to a website and request a password reset. This is pretty much a security issue i think. What would happen if you had some person abusing this function? You could have somebody go to anyones website and attempt this 50+ times. It would drive the owner nuts not to mention that if this function failed to send the email or it got lost the owner would never get his password.
     
  4. ghv

    ghv Well-Known Member

    Joined:
    Oct 18, 2003
    Messages:
    53
    Likes Received:
    0
    Trophy Points:
    6
    Thanks for the info. I disabled it as well.

    People reading this should note that it is enabled by default so disable it if you don't want it.

    I tend to look at "tweak settings" after running upcp as things get added there every so often and new things are sometimes enabled by default.
     
  5. Marty

    Marty Well-Known Member

    Joined:
    Oct 10, 2001
    Messages:
    630
    Likes Received:
    1
    Trophy Points:
    18
    Look through the change log before deciding it is a bad feature or what people can do to abuse it.:

    +-------------------------------------------------------------+
    Fri Jan 30 03:42:00 EST 2004
    8.7.0-EDGE_51
    ---------------------------------------------------------------
    prevent more then 3 password resets per ip per hour
    ---------------------------------------------------------------

    Oh, and try the feature as well. I think you will find that the email is sends has not already changed the password and that the password is never sent over email. I think some of you should try the feature before condemning it. I am not saying it is great, but you guys are condemning it for reasons that don't even exist. I am not a cpanel quior boy, but get your facts straight before complaining.
     
    #5 Marty, Feb 10, 2004
    Last edited: Feb 10, 2004
  6. Marty

    Marty Well-Known Member

    Joined:
    Oct 10, 2001
    Messages:
    630
    Likes Received:
    1
    Trophy Points:
    18
    btw, here is how it works.

    Upon a failed login, the user is asked if he wants to reset his password, and is presented a request for his username. He enters his username and clicks submit. An email is dispatched to the contact email address listed in cpanel for that account. That email has an ssl and non-ssl link. (Note: There is not password in the email and the password has not been changed yet.) When the user clicks on a link, the password is changed and page pops up with the new, randomly generated password, and a link to the control panel. I think it is pretty nice and deals with the bulk of the security issues in a pretty good way.
     
  7. ghv

    ghv Well-Known Member

    Joined:
    Oct 18, 2003
    Messages:
    53
    Likes Received:
    0
    Trophy Points:
    6
    I disabled mine because I don't have any users :D

    Pretty good reason I think...
     
  8. ghv

    ghv Well-Known Member

    Joined:
    Oct 18, 2003
    Messages:
    53
    Likes Received:
    0
    Trophy Points:
    6
    Or just wait a few weeks and see what happens :)
     
Loading...

Share This Page