How to disable password reset feature or increase security for resets?

Discussion in 'Customization & add-ons' started by engineerwsu, Dec 8, 2015.

  1. engineerwsu

    engineerwsu New Member

    Joined:
    Sep 18, 2014
    Messages:
    19
    I would like to disable the password reset feature for all users. My users may potentially known the email address of other users just based on common domain names or they personally know them. If that is the case, a user could potentially reset many other users' passwords.

    Since the password reset feature has no authentication features built-in (like secret questions or something), I think it might be best in my case to just disable it for now until an update provides more security in this area.
  2. caesar

    caesar aMember Pro Developer Staff Member

    Joined:
    Oct 16, 2009
    Messages:
    1,689
    Please let me explain how this feature works. Customer submit his email to this form and aMember send secret link to this email to reset password. So it is not possible to reset password of other users if you do not have access to his email address. Also we have additional restriction that do not allow to submit reset password form more than once per account within 3 hours.

    Regarding your question. There is not ability to disable such feature from admin interface.

    Best Regards.
  3. engineerwsu

    engineerwsu New Member

    Joined:
    Sep 18, 2014
    Messages:
    19
    Thank you caesar. The concern for me is that once a valid email address is typed in, that user's password has been reset and a reset email has been sent. This can cause issues for a user.

    I'll try to explain through example -
    Bob and Tom work for the same real estate agency (realestate.com). Bob knows Tom's email address is tom@realestate.com, and Tom knows Bob's email address is bob@realestate.com. If the agents are rivals, it may be a strategic move for Bob to enter tom's email address for password reset so that the next time Tom goes to access his account, he first needs to reset his password. This is an annoyance.

    I think until there are more security features to allow a user to reset their own password, I would like to disable the feature so they must call customer service to do so.
  4. jenolan

    jenolan aMember Coder

    Joined:
    Nov 3, 2006
    Messages:
    493
    That is not how reset work, step one is an email with a link that you click to start the reset procedure. I know the message says "your password has been emailed to you" but that is NOT what happens ;-)
    caesar likes this.
  5. caesar

    caesar aMember Pro Developer Staff Member

    Joined:
    Oct 16, 2009
    Messages:
    1,689
    I am sorry. I guess I was not clear in my first message. Larry is right. You can not reset password for other user, you can only submit such request. Then user receive email with offer to reset password and can ignore it.

    I recommend to try it yourself to better understand how it works exactly.

Share This Page