#38915 closed enhancement (duplicate)
Improvements to password reset
Reported by: | tomdxw | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 4.6 |
Component: | Users | Keywords: | |
Focuses: | administration | Cc: |
Description
When creating a user, an admin can leave the password unset and the user will be sent a link with which they can set their password.
This option does not exist when a user account already exists. The administrator can set the user's password to a random string generated by WordPress and email that to the user, or set the password to a string of their choosing and email that to the user.
Either way it's not ideal. There's always a risk the user will not change their password even after they've been told to - then there will be plaintext copies of the password which could be obtained (this could be an issue if the attacker is able to exploit a vulnerability in the email servers, but not the site itself).
The administrator should be able to force a user to reset their password in the same manner as when a user account is created. There should be a button on the user's profile page which disables the user's current password and emails a link to the user which the user can use to reset their own password.
@tomdxw
Good idea.