• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Default XenForo Password Recovery Behavior

Joe Link

Well-known member
#1
My member demographic is quite old and not very tech savvy, so I try to make my sites very easy to use. One of the issues that comes up quite often is the default password reset behavior.

Default Password Reset
1. User enters username or email in lost password form.
2. User emailed password reset email.
3. User clicks password reset link in email.
4. User emailed new password.
5. User logs in with username and password.
6. User enters temporary password, then new password twice.

I'd like to know if it's a lack of understanding on my part, but this seems overly complex to me. Many modern websites, such as Twitter, make it much easier.

1. User enters username or email in lost password form.
2. User emailed password reset email.
3. User clicks password reset link in email.
4. User taken to screen to enter new password twice.

I see this add-on here (@Jon W) and it seems to do this. My main question is, why isn't this the default behavior? Is it inferior or less secure in some way?