#32428 closed task (blessed) (fixed)
Do not e-mail passwords
Reported by: |
|
Owned by: |
|
---|---|---|---|
Milestone: | 4.3 | Priority: | normal |
Severity: | normal | Version: | |
Component: | Security | Keywords: | has-patch |
Focuses: | administration | Cc: |
Description
When creating an account for someone in WordPress, this is a bad time to let the user-creator pick a password. First, we’re risking that it’s weak, but even if it isn’t weak, it isn’t going to memorable for the actual user who will own the account. In this case, we should just generate a password, and send the user a password view/reset link. For situations without e-mail, we can let the creator see the password, and send it to the user via a more secure than e-mail method.
Attachments (3)
Change History (21)
This ticket was mentioned in Slack in #core-passwords by mark. View the logs.
10 years ago
This ticket was mentioned in Slack in #core by mark. View the logs.
10 years ago
This ticket was mentioned in Slack in #core by mark. View the logs.
10 years ago
This ticket was mentioned in Slack in #core-passwords by mikehansenme. View the logs.
10 years ago
This ticket was mentioned in Slack in #core by mark. View the logs.
10 years ago
This ticket was mentioned in Slack in #core-passwords by mikehansenme. View the logs.
10 years ago
#9
@
10 years ago
32428.2.diff add time() to the hash so that it will expire properly.
#11
@
10 years ago
Attached 32428-login.diff
Changing "A password will be e-mailed to you." on the wp-login.php page to "Registration confirmation will be e-mailed to you."
Hat tip to @petercralen - https://wordpress.org/support/topic/registration-set-pasword
Related: #24633, #27192.