V4.2.x The ability to reset a user's password

[EnergyFreak +]

Hey,

I had a small suggestion for the next release. The ability to reset a user's password. I had a user yesterday that was not able or did not comprehend how to reset a password and I would of liked to be able to reset it for him without all the hassle or to create one for them. To some users having to request a password reset, receive the temporary password by email and then using it and changing for a new password is a complicated thing it seems... For us tech people it is easy. I just think it might save both the customer and us some time. Let me know if it is a good idea.

[seymourjames +]

Am I missing something but what is the hardship in them pressing the forget password button or you creating a new password /username for them? How often do you really have to do this? I think in 3 years I have only had to do it 3 times. I am probably misunderstanding what the problem is - do you have lots and lots of these and you are having to set up the accounts for them manually?

[EnergyFreak +]

I had to do it a few times already, some say they don't receive the emails, some say the temporary password does not work, etc... It can sometimes be hard for us to prove them wrong when we have no idea if the email was sent correctly or if the password actually really does not work. I've tested the system many times and in different environments and never had any problems. Obviously, I just think it's them that's struggling with the internet, but it might be nice for the admin users to have more control over a user's account.

[Lhotch +]

Quote:

Originally Posted by EnergyFreak

but it might be nice for the admin users to have more control over a user's account.

While not ideal, you can always ask the user what they want their password to be, MD5 it and insert it directly into the database. Done it many times with no problems.

[EnergyFreak +]

Quote:

Originally Posted by Lhotch

While not ideal, you can always ask the user what they want their password to be, MD5 it and insert it directly into the database. Done it many times with no problems.

I've tried to do that, but I was not able to find an MD5 decrypter online, what do you use to decrypt MD5 hash tags? Or do you ask the user what is the password he/she wants, and then you encrypt it and insert it directly in the database and replace the old one?

If I remember correctly, the V5 version showed the hash tag of the user's password directly on the user's panel in the administration area, it could be useful to have that in the next release as well, instead of having to go through the database in MySQL

[Lhotch +]

Quote:

Originally Posted by EnergyFreak

I've tried to do that, but I was not able to find an MD5 decrypter online, what do you use to decrypt MD5 hash tags? Or do you ask the user what is the password he/she wants, and then you encrypt it and insert it directly in the database and replace the old one?

If I remember correctly, the V5 version showed the hash tag of the user's password directly on the user's panel in the administration area, it could be useful to have that in the next release as well, instead of having to go through the database in MySQL

You DONT decrypt MD5, thats why I stated above to ASK the client what they would like their password to be, take that and MD5 it and cut/paste that string into the user table for their password.

[Mike-N-Tosh +]

I'm not really sure that I'm understanding the issue here. In my over 4 years of working with 68 Classifieds on my sites and well over a hundred client sites, I've only ever had to do it once.

Not trying to call anyone any names, but you can't fix stupid.

As you posted yourself it worked for you on different occasions. If the issue is the claim, they didn't get the email, then how would it be different if you reset the password for them in the admin?

If you want to hold the end user's hand and reset the password for them, you can.

1. Go to your site
2. Click login
3. Click Forgot password

That's even easier then having to:
1. Go to Admin url
2. login to the admin
3. click the main tab
4. click the sub tab
5. find the user
6. click on the user
7. click on a reset password link

Don't you agree?

[EnergyFreak +]

Ya I totally agree. But what I meant when resetting a password was that we would see the reset password and we would be able to send it to the user ourselves or even better we could be able to change the user's password ourselves. These are just suggestions, I am not criticizing the script, it's the best out there by far . It definitely should not be a priority, just a small improvement to the admin's control.

[seymourjames +]

Basically you are trying to crack a nut with a hammer. Unless you are inundated with fixing 'stupid' as Mike puts it, then it does seem overkill.

[Mike-N-Tosh +]

Be careful what you wish for. In this day and age of everyone on the internet and a bigger than ever move about protecting people's privacy whether it's warranted or not, you need to do everything that you can to protect yourself as a web site publisher.

One of the reasons that the password is NOT stored in a visible readable format is for privacy. The ONLY time the password is exposed in a readable format is when the email is sent upon registration (Welcome email) or when the user resets their own password. Then it is ONLY sent to the user's email address.

If you and/or anyone that has administration/user account privileges had the ability to see this information, then you would have exposure to personal information that COULD be used in a harmful way, such as attempting to use the same information to access other accounts that the user might have on other services, such as online banking, email accounts, social networks, etc..

This is exactly what the phishing sites do. Gather account information to attempt to gain access to that persons account which in many cases is used for other accounts and services.

Not having access to this information gives you total deniability/liability before the accusation can even happen.