How to disable password reset feature or increase security for resets?

Discussion in 'Customization & add-ons' started by engineerwsu, Dec 8, 2015.

  1. engineerwsu

    engineerwsu New Member

    Joined:
    Sep 18, 2014
    Messages:
    21
    I would like to disable the password reset feature for all users. My users may potentially known the email address of other users just based on common domain names or they personally know them. If that is the case, a user could potentially reset many other users' passwords.

    Since the password reset feature has no authentication features built-in (like secret questions or something), I think it might be best in my case to just disable it for now until an update provides more security in this area.
  2. caesar

    caesar aMember Pro Developer Staff Member

    Joined:
    Oct 16, 2009
    Messages:
    1,795
    Please let me explain how this feature works. Customer submit his email to this form and aMember send secret link to this email to reset password. So it is not possible to reset password of other users if you do not have access to his email address. Also we have additional restriction that do not allow to submit reset password form more than once per account within 3 hours.

    Regarding your question. There is not ability to disable such feature from admin interface.

    Best Regards.
  3. engineerwsu

    engineerwsu New Member

    Joined:
    Sep 18, 2014
    Messages:
    21
    Thank you caesar. The concern for me is that once a valid email address is typed in, that user's password has been reset and a reset email has been sent. This can cause issues for a user.

    I'll try to explain through example -
    Bob and Tom work for the same real estate agency (realestate.com). Bob knows Tom's email address is tom@realestate.com, and Tom knows Bob's email address is bob@realestate.com. If the agents are rivals, it may be a strategic move for Bob to enter tom's email address for password reset so that the next time Tom goes to access his account, he first needs to reset his password. This is an annoyance.

    I think until there are more security features to allow a user to reset their own password, I would like to disable the feature so they must call customer service to do so.
  4. jenolan

    jenolan aMember Coder

    Joined:
    Nov 3, 2006
    Messages:
    502
    That is not how reset work, step one is an email with a link that you click to start the reset procedure. I know the message says "your password has been emailed to you" but that is NOT what happens ;-)
    caesar likes this.
  5. caesar

    caesar aMember Pro Developer Staff Member

    Joined:
    Oct 16, 2009
    Messages:
    1,795
    I am sorry. I guess I was not clear in my first message. Larry is right. You can not reset password for other user, you can only submit such request. Then user receive email with offer to reset password and can ignore it.

    I recommend to try it yourself to better understand how it works exactly.
  6. engineerwsu

    engineerwsu New Member

    Joined:
    Sep 18, 2014
    Messages:
    21
    Hello, I'm coming back around to this thread. I disabled the password resets a couple years ago, but I'd like to consider using the tool now. However, I want to add a few layers of security.

    1) I want to add Catpcha to the reset form
    2.) Caesar, you mentioned only one "account" can submit once every 3 hours. Does that imply "username?" Since the username and the email address can both be used to login, would it be possible for a bot to brute force submit a list of email addresses one by one?
    3.) Per OWASP, I would ideally like to request that users enter a mobile phone number (or alternate email) and enable password resets in their account. Email accounts are commonly hacked, so using multi-path validation would be ideal.
    4.) I don't really want users to receive feedback that the account is on file or not. Rather, I would like to just allow the form submission and disregard it if the user does not exist - then of course do not allow more resets for 3 hours.

    I'm sorry I'm not sure what questions to ask, so I've tried to explain what I'm looking to do. Maybe some of this functionality is already available?
  7. caesar

    caesar aMember Pro Developer Staff Member

    Joined:
    Oct 16, 2009
    Messages:
    1,795
    Hello,

    1) latest version allow to add reCaptcha to both login and reset password form

    2) It apply to account. It does not mater what you submit either login or email.

    3), 4) there is not such features in aMember.

    Best Regards.

Share This Page