Jump to content

Force Password Reset


John

Recommended Posts

Hello All,

 

This is a feature request I hope no one will have to use.

 

When a database gets breached, or there is a flaw in the security of Blesta, we might need to require all clients to change their passwords (and two factor auth tokens). Currently, there is no way to do this.

 

Most sites just make you login, and then you can change your password. While this is very convenient for users, it is also extremely convenient for the person who managed to dump the database. Therefore, I recommend that after the user logs in, they get sent an email with a PIN number, which they have to put in to the webpage. Then, it will allow them to reset their password. If they do not enter the PIN, then staff would get an alert, because this could mean that the clients account is breached.

 

While the Blesta team is very good at securing their product, this important feature is missing. I view it as a must-have. Right now, if a database were to get dumped we would have to manually reset clients passwords. (VERY time consuming)

 

John

Link to comment
Share on other sites

There's already a simple solution for this in the event that your database is leaked. You run the following query on your database:

UPDATE `users` SET `password` = '';

ALL Users will now be unable to login and MUST request a password reset.

 

We're unlikely to build this into the system because this is such an exceedingly rare case, and I feel that since it is such an important decision to make, that it ought to be done by someone with direct access to the database already.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...