Page 1 of 1

[ABD] Email Only Password Reset

Posted: Thu Jun 07, 2018 10:31 am
by martti
Extension Name: Email Only Password Reset
Author: martti
Extension Description:
By default in a phpBB board you need to provide both username and email to reset your password. With this extension enabled you need only to give your email address.

Only users with a unique email address in the database will be able to have sent a new password. It is recommanded to check beforehand if all email addresses are unique. When you left the configuration option "Allow email address re-use" in the ACP (General > Board configuration > User registration settings) to the default "false" in your board, this will be the case.

Extension Version: 0.1.0
Requirements: PhpBB 3.2+ PHP 7+
Extension Download: https://github.com/marttiphpbb/phpbb-ex ... master.zip The files are to be put in ext/marttiphpbb/emailonlypasswordreset
Github repository: https://github.com/marttiphpbb/phpbb-ex ... swordreset
Languages: en
Templates: prosilver
Screenshot:

Image

Related extensions:

Re: [3.2][BETA] Email Only Password Reset

Posted: Fri Jun 08, 2018 3:42 am
by Toxyy
Can you add option for username or email? That would have it incorporate all scenarios a user would want.

Re: [3.2][BETA] Email Only Password Reset

Posted: Fri Jun 08, 2018 5:30 am
by martti
Toxyy wrote:
Fri Jun 08, 2018 3:42 am
Can you add option for username or email? That would have it incorporate all scenarios a user would want.
I thought of that, but then I let it go because it might become an instrument of attack. A robot or person can just read the usernames from the board.

For those who are ok with the risk I could make another extension for this scenario. It's just a small modification from this extension and then I don't need to add configuration. Both extensions are then simple and focused.

Did you test the extension?

Re: [3.2][BETA] Email Only Password Reset

Posted: Fri Jun 08, 2018 5:45 am
by Toxyy
martti wrote:
Fri Jun 08, 2018 5:30 am
Toxyy wrote:
Fri Jun 08, 2018 3:42 am
Can you add option for username or email? That would have it incorporate all scenarios a user would want.
I thought of that, but then I let it go because it might become an instrument of attack. A robot or person can just read the usernames from the board.

For those who are ok with the risk I could make another extension for this scenario. It's just a small modification from this extension and then I don't need to add configuration. Both extensions are then simple and focused.

Did you test the extension?
Wouldn't they just be able to do that if this extension is disabled anyways? I'm not quite sure it matters if the reset always goes to the users email.

No I haven't, I can tomorrow.

Re: [3.2][BETA] Email Only Password Reset

Posted: Fri Jun 08, 2018 9:21 am
by martti
Toxyy wrote:
Fri Jun 08, 2018 3:42 am
Can you add option for username or email? That would have it incorporate all scenarios a user would want.
I have started another extension for this: Username Or Email Password Reset.

Re: [3.2][BETA] Email Only Password Reset

Posted: Thu Feb 07, 2019 2:43 pm
by colinshead
Hi Martii

Extension seems to work fine, but functionality not much of an improvement in my view on the standard phpBB Forgot Password arrangement. Users still end up having a two step process (activate plus login with a random password). I find that many of my users struggle with this forgot password arrangement, as many have very limited IT skills, and longish random passwords are a bit daunting!

Could not the extension offer the following functionality:

User clicks the Forgot Password link

Ext sends an e-mail containing a link, which when clicked takes the user to a Password Reset screen.

The Password Reset screen allows the user to enter a new password (twice to ensure accuracy) then User clicks submit, and is immediately redirected to the normal login screen, where he/she can login into the board.

Obviously the password entered should be constrained to the password complexity settings in ACP. Might also be worth including a CAPTCHA test before 'Submit' becomes active, to prevent robot attempts.

I think this arrangement would be entirely secure, unless the users e-mail account has itself been compromised, in which case the user has more to worry about that a board password reset !

All the best

Colin

Re: [3.2][BETA] Email Only Password Reset

Posted: Thu Feb 07, 2019 3:12 pm
by martti
colinshead wrote:
Thu Feb 07, 2019 2:43 pm
Hi Martii

Extension seems to work fine, but functionality not much of an improvement in my view on the standard phpBB Forgot Password arrangement. Users still end up having a two step process (activate plus login with a random password). I find that many of my users struggle with this forgot password arrangement, as many have very limited IT skills, and longish random passwords are a bit daunting!

Could not the extension offer the following functionality:

User clicks the Forgot Password link

Ext sends an e-mail containing a link, which when clicked takes the user to a Password Reset screen.

The Password Reset screen allows the user to enter a new password (twice to ensure accuracy) then User clicks submit, and is immediately redirected to the normal login screen, where he/she can login into the board.

Obviously the password entered should be constrained to the password complexity settings in ACP. Might also be worth including a CAPTCHA test before 'Submit' becomes active, to prevent robot attempts.

I think this arrangement would be entirely secure, unless the users e-mail account has itself been compromised, in which case the user has more to worry about that a board password reset !

All the best

Colin
That would be something for another extension as it is other functionality. My philosophy is that extensions should do only one thing. (But I don't have plans to make this one)

Re: [3.2][BETA] Email Only Password Reset

Posted: Thu Feb 28, 2019 7:30 am
by trilo
Any chance of this being submitted for review and released? It sounds like a perfect piece of functionality (thank you). Most times when one of my users forgets their password, they also can't remember their username... and they never think to search the memberlist before filling out the contact form to ask for help.

The usual process (as I've observed) seems to be: get the wrong pw and try again (a few times hehe). Then they try the forgot password link, but can't remember the username/email combo. Then they try creating a new account and find that the email address is in use. User then fills out the contact form and friendly neighborhood admin looks up the username for them.

Letting people request a reset email using just the email address that's registered will save several steps for users and hopefully eliminate the need for admin assistance on that issue.

I'm happy to install and test on a beta site, but would prefer not to use pre-release extensions on production site if I can avoid it.

Thanks in advance!

Re: [3.2][BETA] Email Only Password Reset

Posted: Fri Mar 01, 2019 2:29 pm
by martti
trilo wrote:
Thu Feb 28, 2019 7:30 am
Any chance of this being submitted for review and released? It sounds like a perfect piece of functionality (thank you). Most times when one of my users forgets their password, they also can't remember their username... and they never think to search the memberlist before filling out the contact form to ask for help.

The usual process (as I've observed) seems to be: get the wrong pw and try again (a few times hehe). Then they try the forgot password link, but can't remember the username/email combo. Then they try creating a new account and find that the email address is in use. User then fills out the contact form and friendly neighborhood admin looks up the username for them.

Letting people request a reset email using just the email address that's registered will save several steps for users and hopefully eliminate the need for admin assistance on that issue.

I'm happy to install and test on a beta site, but would prefer not to use pre-release extensions on production site if I can avoid it.

Thanks in advance!
In some weeks I will be using this on my live board and then the plan is that after a while it will go to RC.

Re: [3.2][BETA] Email Only Password Reset

Posted: Sat Mar 02, 2019 11:03 pm
by janus_zonstraal
I think it is now the standard in phpbb3.2.5 (only emailadress )
ucp.php?mode=sendpassword

Re: [3.2][BETA] Email Only Password Reset

Posted: Sun Mar 03, 2019 5:47 am
by martti
janus_zonstraal wrote:
Sat Mar 02, 2019 11:03 pm
I think it is now the standard in phpbb3.2.5 (only emailadress )
ucp.php?mode=sendpassword
Ah yes, indeed. I thought I read that somewhere. So this extension is not needed anymore.

Re: [3.2][BETA] Email Only Password Reset

Posted: Sun Mar 03, 2019 7:19 am
by John connor
Yeah, I just came here to say that. phpBB now requires an email address for password reset.

Re: [3.2][BETA] Email Only Password Reset

Posted: Thu Apr 25, 2019 4:25 pm
by martti
As this functionality is now in the core of phpBB since 3.2.5 this extension is discontinued.