1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

XF 1.2 Disable reset passwords via e-mail?

Discussion in 'XenForo Questions and Support' started by tekkitan, Dec 4, 2013.

  1. tekkitan

    tekkitan New Member

    I work in network security, so I am security aware on a lot of things. Especially when it comes to software I use (like now, XenForo!). I like XenForo, but one thing really stung me uneasy about using it. When a user resets their password, it is sent to their e-mail address. SMTP connections typically are plain-text connections. If they are somehow intercepted somewhere between the source and the destination, anyone would be able to use these passwords to log in to an account (especially since they have the user's e-mail address as well).

    Now I know it is only meant to be a temporary password, but it still strikes me as unsecure. In a perfect world, someone would immediately log in and change it. Obviously we do NOT live in a perfect world :)

    I know I am being maybe overly paranoid about it as the likeliness of this happening are very slim, but it is part of my job to think about these types of things so normally I apply it to personal things as well to try and be as secure as possible.

    After typing all that, I'm sure this *may* have been brought up before. If it has and has been discussed, I apologize, but I did a search and could not find anything near relevant.
  2. Ernest L. Defoe

    Ernest L. Defoe Well-Known Member

    It's not just xenForo that does that. Most forum software do password resets the same way. You are right about the chances of that e-mail being intercepted are slim to pretty much none. If someone wants to gain access to your site or someones account there are far better means of doing so than that.
  3. tekkitan

    tekkitan New Member

    I hate to say it, but vB does not send an e-mail with a password. I am trying to move away from them though because I like XenForo more :)
  4. Martok

    Martok Well-Known Member

    @tekkitan, I can understand where you are coming from on security. However, if you were able to disable password resetting by email, how do you envision a user on your site being able to reset their password? What method do you have in mind that is more secure?

    I hope you don't mind me asking, I'm just curious. :)
  5. Jeremy

    Jeremy Well-Known Member

    XenForo doesn't send a temporary password out when you reset a password.

    It sends a link to reset your password.
  6. Mike

    Mike XenForo Developer Staff Member

    The second email does have a password though.
  7. tekkitan

    tekkitan New Member

    The same way any other place does it securely, send a link to the user that asks them for a password to reset to. Obviously anyone intercepting that e-mail can get that link, but you can also ask for some other piece of information that is required to be filled out in their profile. I use SSL on my forum, so that is encrypted as well.
  8. tekkitan

    tekkitan New Member


Share This Page