Is there an option to disable forgot password

  • Got some people that keep messing around using password reset on members, doing it as guests so members keep being sent an email about a password reset.


    Is there any setting/option to disable password reset on user accounts (forgot password).

  • You can't ban a guest doing it. :/


    I mean the Lost Password page


    All a guest needs do is get a load of usernames off forum and start sending out Lost Password requests and the users will all get emails for it because a guest can just enter Username (instead of Email Address). At least with email address they need know the users email to enter - but with Username then can just grab them from forums to send too, and it will auto use their registered email.

  • that guest of yours is really doing it with effort, as he must pass reCAPTCHA verification each time.

    -------------------


    I agree with you, it's better to only ask for email address. Username is a NO, people can play prank with someone else account, by frequently sending them password reset email. Btw, what will happen (to our account) if there is a password reset come to our email, but we ignore it?

  • that guest of yours is really doing it with effort, as he must pass reCAPTCHA verification each time.

    -------------------


    I agree with you, it's better to only ask for email address. Username is a NO, people can play prank with someone else account, by frequently sending them password reset email. Btw, what will happen (to our account) if there is a password reset come to our email, but we ignore it?

    Yes, it can just be ignored. But it obviously annoys the user because they're getting emails for something they didn't request, also can be annoying for the user of they keep getting their email inbox spammed with it happening repeatedly by somebody messing around. It's a bit too easy for abusing when they can just enter Username and don't even need know the email address.


    I was just wondering if it might be worthwhile thinking about adding an option in ACP to completely disable Lost Password page, so if anyone starts abusing it playing games you can turn it off for a while as Admin to stop it.

  • Hi


    I just wanted to note that one cannot request a lost password mail more than once per 24 hour window and user (i.e. everyone receives at most one mail per day).

    Btw, what will happen (to our account) if there is a password reset come to our email, but we ignore it?

    Nothing. Starting with WoltLab Suite Core 3 the request automatically expires after 24 hours. Before WSC 3 it will live indefinitely, but cannot be used to compromise an account by guessing the token, as the new password is emailed.

  • Hi


    I just wanted to note that one cannot request a lost password mail more than once per 24 hour window and user (i.e. everyone receives at most one mail per day).

    Nothing. Starting with WoltLab Suite Core 3 the request automatically expires after 24 hours. Before WSC 3 it will live indefinitely, but cannot be used to compromise an account by guessing the token, as the new password is emailed.

    OK, i got it, but as GTB said, it will confuse some users when they receive unwanted password reset email.

  • Sorry, yes. I should have said they can only do it once every 24 hours.


    But on my forum they have been doing it daily after it expires. Which is still annoying for members it happens too. Obviously this is not something that's going to happen often, I understand that and it's a one off with some idiots playing games on my forum. But it still highlights a need really for maybe Admin having an option to disable the Lost Password page for a while - if it really needs be done.

  • anyway @GTB , I don't agree to disable loss password page, every forum need it. I just suggest that password resetting can only be processed by providing email address, NOT a username.

  • anyway GTB , I don't agree to disable loss password page

    Yes, I know it's needed for a valid reason. But the option to do it would only be there as last measure to use. Otherwise, you can end up with members getting fed up enough to either leave the forum and block the site email to spam list, maybe asking that their account be removed to stop it. So really just an option to use as a last resort "for a while" to avoid that happening, otherwise there's nothing you as Admin to do to combat it if they remain persistent doing it daily coming back.


    It's just a thought is all....

  • There are cases where you forgot your e-mail-address, but still have access to it. (Redirect for example) I would not like to force people knowing both.

    Meine Beiträge stellen - sofern nicht ausdrücklich anders gekennzeichnet - ausschließlich meine subjektive und aus Erfahrung und / oder Reflexion gewonnene Meinung dar und sind nicht als Fakten zu verstehen. Meinungen sind persönliche Ansichten und benötigen keine Belege. In Deutschland gilt nach Artikel 5 des Grundgesetzes Meinungsfreiheit. Meine Beiträge stellen keine Rechtsberatung dar, hierzu bin ich nicht befugt.

  • Agree also, because that is not what I said?


    Where did I say having to enter both email and name. I said add a switch in ACP to disable Lost Password page completely for a short spell if ever needed done. I never said anything about forcing people to enter both username and email. ?(

  • I agree with you, it's better to only ask for email address. Username is a NO

    But he did. And this is inacceptable and must be expressed.

    Meine Beiträge stellen - sofern nicht ausdrücklich anders gekennzeichnet - ausschließlich meine subjektive und aus Erfahrung und / oder Reflexion gewonnene Meinung dar und sind nicht als Fakten zu verstehen. Meinungen sind persönliche Ansichten und benötigen keine Belege. In Deutschland gilt nach Artikel 5 des Grundgesetzes Meinungsfreiheit. Meine Beiträge stellen keine Rechtsberatung dar, hierzu bin ich nicht befugt.

  • What do you mean by that?

    Meine Beiträge stellen - sofern nicht ausdrücklich anders gekennzeichnet - ausschließlich meine subjektive und aus Erfahrung und / oder Reflexion gewonnene Meinung dar und sind nicht als Fakten zu verstehen. Meinungen sind persönliche Ansichten und benötigen keine Belege. In Deutschland gilt nach Artikel 5 des Grundgesetzes Meinungsfreiheit. Meine Beiträge stellen keine Rechtsberatung dar, hierzu bin ich nicht befugt.

  • You're reading too much into what I meant before. I never said force people to use both Username and Email - I was talking in general saying it makes things easy for spammers by just being able to use Username. So if anything, I was saying just keep email only and remove Username (but then, I wasn't even saying do that either). My main point was about adding an option to completely disable the page in ACP if ever needed done to halt spammers from abusing it none stop on a daily bases.


    Why would you be against adding something like that, when you don't even need use it (it isn't forced on you to use it) if a switch in ACP to turn "on and off". You might not use SEO URL's - so should we remove the switch for that used or not?

  • I'm not. I said

    But he did. And this is inacceptable and must be expressed.

    His intent was to not allow password reset mails with username (only). And this is not acceptable for me. I did not refer to you in any of my posts. I think you misunderstand me ;) There is no language barrier, i just picked his sentence and said that i would not like to see that. (But didn't quote, unfortunatley.)

    Meine Beiträge stellen - sofern nicht ausdrücklich anders gekennzeichnet - ausschließlich meine subjektive und aus Erfahrung und / oder Reflexion gewonnene Meinung dar und sind nicht als Fakten zu verstehen. Meinungen sind persönliche Ansichten und benötigen keine Belege. In Deutschland gilt nach Artikel 5 des Grundgesetzes Meinungsfreiheit. Meine Beiträge stellen keine Rechtsberatung dar, hierzu bin ich nicht befugt.