Password recovery

[Puzzle Decimal]

Hi there, our costumers have found some kind of a bug in the password recovery system... when some one ask for a password recover, a email is sent, and when we click the link to change the password, we get a message telling that the password has been changed, but no password has been entered... 

Any idea to solve this?

thanks

[datakick]

That's how recovery works in tb. You don't enter new password, it is generated and sent to you via email.

If email does not contain new password then check your email template: password.html /password.txt

[Briljander]

8 hours ago, datakick said:

That's how recovery works in tb. You don't enter new password, it is generated and sent to you via email.

If email does not contain new password then check your email template: password.html /password.txt

And this sucks. I don't understand how a webshop in 2020 can send passwords in real text. We have had some customer complaints about this.

I noticed there are modules that can fix this but this should really be fixed into the core I think.

Edited August 25, 2020 by Briljander

[datakick]

6 hours ago, Briljander said:

And this sucks. I don't understand how a webshop in 2020 can send passwords in real text. We have had some customer complaints about this.

I noticed there are modules that can fix this but this should really be fixed into the core I think.

I agree that this should be changed.

I don't want to say 'fixed', because I don't really have problem with sending *server generated* password over email in plain text. I actually believe this is more secure than having user entering new password in online form.

The reason I support this change is that this flow is not standard these days. It can surprise users, and it can even anger some of them (unjustly). That's not something we want.

However it's not easy to implement this in core. The functionality itself is pretty easy to implement -- it would be few hours of work, max. But it requires new template, which is a theme responsibility. We could add this new template to both *community* and *niara* themes. But we can't do the same for third party themes. Which means that password recovery functionality would not work anymore, if you used commercial themes.

To overcome this problem we first need to come up with some mechanism to have new templates. There are many ways to do this, for example template inheritance. Unfortunately, it's much more complicated to implement such mechanism.