XF 1.2 Disable reset passwords via e-mail?

tekkitan

New member
I work in network security, so I am security aware on a lot of things. Especially when it comes to software I use (like now, XenForo!). I like XenForo, but one thing really stung me uneasy about using it. When a user resets their password, it is sent to their e-mail address. SMTP connections typically are plain-text connections. If they are somehow intercepted somewhere between the source and the destination, anyone would be able to use these passwords to log in to an account (especially since they have the user's e-mail address as well).

Now I know it is only meant to be a temporary password, but it still strikes me as unsecure. In a perfect world, someone would immediately log in and change it. Obviously we do NOT live in a perfect world :)

I know I am being maybe overly paranoid about it as the likeliness of this happening are very slim, but it is part of my job to think about these types of things so normally I apply it to personal things as well to try and be as secure as possible.

After typing all that, I'm sure this *may* have been brought up before. If it has and has been discussed, I apologize, but I did a search and could not find anything near relevant.
 
It's not just xenForo that does that. Most forum software do password resets the same way. You are right about the chances of that e-mail being intercepted are slim to pretty much none. If someone wants to gain access to your site or someones account there are far better means of doing so than that.
 
It's not just xenForo that does that. Most forum software do password resets the same way. You are right about the chances of that e-mail being intercepted are slim to pretty much none. If someone wants to gain access to your site or someones account there are far better means of doing so than that.

I hate to say it, but vB does not send an e-mail with a password. I am trying to move away from them though because I like XenForo more :)
 
@tekkitan, I can understand where you are coming from on security. However, if you were able to disable password resetting by email, how do you envision a user on your site being able to reset their password? What method do you have in mind that is more secure?

I hope you don't mind me asking, I'm just curious. :)
 
@tekkitan, I can understand where you are coming from on security. However, if you were able to disable password resetting by email, how do you envision a user on your site being able to reset their password? What method do you have in mind that is more secure?

I hope you don't mind me asking, I'm just curious. :)

The same way any other place does it securely, send a link to the user that asks them for a password to reset to. Obviously anyone intercepting that e-mail can get that link, but you can also ask for some other piece of information that is required to be filled out in their profile. I use SSL on my forum, so that is encrypted as well.
 
Top Bottom