Allow cPanel users to reset their password via email

ghv

Well-Known Member
Oct 18, 2003
53
0
156
Just noticed this under "tweak settings".

Anyone know more about it?

How's it done?
 

perfectsquare

Active Member
Sep 11, 2002
36
0
156
If you try to login to CPanel now, and do not put the proper user/pass in, it gives you a screen that allows you to reset your password and have it sent to the "contact email" for that user in CPanel.

Try it yourself.

I didn't see that you could disable that in WHM until you mentioned it. Thanks.
 

mr.wonderful

BANNED
Feb 1, 2004
345
1
166
I completely disabled this option. Anyone can go to a website and request a password reset. This is pretty much a security issue i think. What would happen if you had some person abusing this function? You could have somebody go to anyones website and attempt this 50+ times. It would drive the owner nuts not to mention that if this function failed to send the email or it got lost the owner would never get his password.
 

ghv

Well-Known Member
Oct 18, 2003
53
0
156
Thanks for the info. I disabled it as well.

People reading this should note that it is enabled by default so disable it if you don't want it.

I tend to look at "tweak settings" after running upcp as things get added there every so often and new things are sometimes enabled by default.
 

Marty

Well-Known Member
Oct 10, 2001
630
1
318
Look through the change log before deciding it is a bad feature or what people can do to abuse it.:

+-------------------------------------------------------------+
Fri Jan 30 03:42:00 EST 2004
8.7.0-EDGE_51
---------------------------------------------------------------
prevent more then 3 password resets per ip per hour
---------------------------------------------------------------

Oh, and try the feature as well. I think you will find that the email is sends has not already changed the password and that the password is never sent over email. I think some of you should try the feature before condemning it. I am not saying it is great, but you guys are condemning it for reasons that don't even exist. I am not a cpanel quior boy, but get your facts straight before complaining.
 
Last edited:

Marty

Well-Known Member
Oct 10, 2001
630
1
318
Originally posted by ghv
Just noticed this under "tweak settings".

Anyone know more about it?

How's it done?
btw, here is how it works.

Upon a failed login, the user is asked if he wants to reset his password, and is presented a request for his username. He enters his username and clicks submit. An email is dispatched to the contact email address listed in cpanel for that account. That email has an ssl and non-ssl link. (Note: There is not password in the email and the password has not been changed yet.) When the user clicks on a link, the password is changed and page pops up with the new, randomly generated password, and a link to the control panel. I think it is pretty nice and deals with the bulk of the security issues in a pretty good way.
 

ghv

Well-Known Member
Oct 18, 2003
53
0
156
Originally posted by Marty
I am not a cpanel quior boy, but get your facts straight before complaining.
I disabled mine because I don't have any users :D

Pretty good reason I think...
 

ghv

Well-Known Member
Oct 18, 2003
53
0
156
Originally posted by Marty
Look through the change log before deciding it is a bad feature or what people can do to abuse it.:
Or just wait a few weeks and see what happens :)