Skip to Main Content
Ideas Portal
Status New Idea
Workspace Pressero
Categories Products
Created by Susanna Toppa
Created on Oct 25, 2019

Password protection

I think new password security practices need to be implemented.  Emailing a new password is not secure.  I'd rather someone click on a link to lead them to a page to set a new password.

  • Attach files
  • Admin
    Chris Beaven
    Reply
    |
    Apr 1, 2022

    Jim, I agree 100%. Security is huge. I'm going to change the status of this item so I know to get it reviewed and planned for the future.

  • Jim Riddles
    Reply
    |
    Mar 10, 2022

    Any thoughts on this idea? This has just been brought up by a new customer of ours. They are very concerned that the passwords are being sent in plain text via email. It wouldn't be as big of an issue if users were forced to change their password once they reached the system. However, it I feel that it would be a better idea to simply send a password reset link that allowed someone to change their password without first logging in. Make sure the link expires after a limited time, perhaps 1 day, so it couldn't be used again if someone was able to access the user's email address and find the old email.

  • Jim Riddles
    Reply
    |
    Apr 22, 2020

    George,

    Again, I think that you are misunderstanding the point of the request. Using that link, the system sends a password through unsecured email to the end user. That is precisely what Susanna does NOT want to happen. Does that provide more clarity? It is always possible that I do not fully understand Susanna's request, but it seems pretty clear to me that she does not want Pressero to send a password in an email, but allow the user to reset the password directly on the website.

    I would just like to add an additional step that sends a link to that password reset page, rather than redirecting the user to that page immediately. It would act a little like 2FA, without that added headache of actually implementing 2FA.

  • Admin
    George Mixco
    Reply
    |
    Mar 30, 2020

    Hi Jim,

    Right, as I mentioned, it could be scaled for a single user, which means you wouldn't have to do any imports.
    You could simply change the User's password to a difficult one, and send the user the link https://yoursitenamehere.com/lostpassword.

    This way, it forces them to change their password. The link I believe OP was looking for just requires adding "/lostpassword" to the end of the site's URL.

    No need to send an actual password. Hope that helps :-)

  • Jim Riddles
    Reply
    |
    Mar 26, 2020

    George, I don't believe that the OP was talking about forcing all new users to reset their password, but changing the way the password reset is currently done. I could be mistaken, though.

  • Admin
    George Mixco
    Reply
    |
    Mar 26, 2020

    Hello all,

    I shared this work-around with another client who wanted to force all their users to reset their passwords. This can be scaled for a single user:

    Forcing users to reset their passwords would work like this:

    1. Export your Site Users by going to SITE > User Management > Site Users > click on the gear icon > Import/Export Users (https://www.screencast.com/t/IWZQ5EVIrpkX) Create a generic password for every user - such as "changeme" (without the quotation marks). Even better, create a password that's difficult instead. (Here's a tool: https://www.lastpass.com/password-generator. But you may already have your own.) Do not re-import yet.

    2. Customize the new user email notification to add text stating that the password for their account must be changed, with a link to https://tu.serviceforms.chi.v6.pressero.com/lostpassword . Since the users won't know their passwords when you re-upload the users in step 3, they'll use the password recovery link to force them to update their password. See this article for instructions on customizing email notifications: Can I customize the notification emails that are sent out?

    3. Import your site users. Be sure to:

      • Do steps 1 and 2 before importing the users.

      • When you import users, be sure to check the "Send Notifications" button.

      • In your user import template, make sure that you have set that the users can receive notifications.

    For your reference, these instructions are a modified version of this KB article:https://support.aleyant.com/kb/a789/is-there-way-to-upload-users-then-send-emails-to-them-with-their-password-require.aspx

    hope that helps.

  • Jim Riddles
    Reply
    |
    Oct 29, 2019

    Rather than emailing the new password or taking them to a screen immediately, I would like to see a password reset link sent via email.  This will allow us to track when a password reset was requested, and prevent transmitting password through email.

  • Alisson Salles
    Reply
    |
    Oct 28, 2019

    I agree