WordPress.org

Make WordPress Core

Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#38915 closed enhancement (duplicate)

Improvements to password reset

Reported by: tomdxw Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.6
Component: Users Keywords:
Focuses: administration Cc:

Description

When creating a user, an admin can leave the password unset and the user will be sent a link with which they can set their password.

This option does not exist when a user account already exists. The administrator can set the user's password to a random string generated by WordPress and email that to the user, or set the password to a string of their choosing and email that to the user.

Either way it's not ideal. There's always a risk the user will not change their password even after they've been told to - then there will be plaintext copies of the password which could be obtained (this could be an issue if the attacker is able to exploit a vulnerability in the email servers, but not the site itself).

The administrator should be able to force a user to reset their password in the same manner as when a user account is created. There should be a button on the user's profile page which disables the user's current password and emails a link to the user which the user can use to reset their own password.

Change History (3)

#1 @lukecavanagh
3 years ago

@tomdxw

Good idea.

#2 @knutsp
3 years ago

  • Component changed from General to Users
  • Focuses administration added
  • Resolution set to duplicate
  • Status changed from new to closed
  • Version changed from 4.6.1 to 4.6

Duplicate of #34281.

This seems to a duplicate enhancement request.

#3 @swissspidy
3 years ago

  • Milestone Awaiting Review deleted
Note: See TracTickets for help on using tickets.