Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-10325

Ability to disable the "I forgot my password" feature

    Details

    • Type: Improvement
    • Status: Unverified Fix
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.1.0-dev
    • Fix Version/s: 3.1.0-a1
    • Component/s: None
    • Labels:
      None

      Description

      When phpBB is running on a webserver using SSL, the "I forgot my password" uses email (or XMPP) to send out a new password. Since email is generally unencrypted and other attacks such as faking the DNS reply for the MX record request are possible, it presents a weakness.

      I suggest adding a switch to disable this feature completely.

        Activity

        Hide
        Derky Derky added a comment -

        I think you should however keep the "I forgot my password" link and change the contents of the sendpassword page to:
        Function disabled, contact admin:
        phpBB 3.0.x) Email address (like registration page)
        phpBB 3.1.x) Link to contact form.

        Show
        Derky Derky added a comment - I think you should however keep the "I forgot my password" link and change the contents of the sendpassword page to: Function disabled, contact admin: phpBB 3.0.x) Email address (like registration page) phpBB 3.1.x) Link to contact form.
        Hide
        Oleg Oleg [X] (Inactive) added a comment -

        The other reason this was requested was on boards using external authentication (e.g. ldap). In such cases phpbb cannot change users' passwords at all.

        Show
        Oleg Oleg [X] (Inactive) added a comment - The other reason this was requested was on boards using external authentication (e.g. ldap). In such cases phpbb cannot change users' passwords at all.

          People

          • Assignee:
            dhruv.goel92 Dhruv Goel
            Reporter:
            bantu Andreas Fischer
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development