At present when a new user registers or a user resets their password an email is sent containing the password. As SMTP uses cleartext this is not ideal. In addition, this only works when the password can be retrieved, which is possible for encrypted passwords but not hashed passwords (as hashing is a 1 way operation).
This enhancement add’s code to change the behavior when a user wants to reset their password. When they select that option an email is sent with a link to the password reset page. This link contains a value that is unique to that user. In addition, this link is only valid for a short period of time (determined by the “reset link timeout” value in host settings), and when used is no longer valid.
As well as showing on password registration mails, this same token is sent out for password resets –if the user requests a password reset the reset link timeout is used, if an admin/host user resets a users password then the token is valid for 24hrs.
To see this in action, create a user, and then log off. Click on login, and press the “reset password” button.
The following will appear
An email is sent out, and the user can click on the supplied link, re-enter their username and change the password.
Note: when an administrator does a “force password change” it no longer sends out a new, randomly generated password. Instead it sends out a password link – however as this action was initiated by the Administrator and not the user themselves this link is valid for 24hrs and not the usual (and much smaller) value set in host settings.