Lost password? Click here

Got an idea? Missing something? Post your feature request here.

Moderator: moderators

Lost password? Click here

Postby gerbilfur » Thu Mar 19, 2009 10:04 pm

It would be really great for users to be able reset their own password, for those of us that have a large number of losers....i mean users that forget their passwords.

Just switched from Jinzora today - Subsonic is ahhh-mazing. Well done.
gerbilfur
 
Posts: 1
Joined: Thu Mar 19, 2009 10:01 pm

ditto

Postby infocalypse » Wed May 06, 2009 10:36 pm

I'll second this one, big-time. I get forgotten-password requests from friends constantly. It would be awesome to be able to record the email address for each account and simply have a button for firing off the forgotten password to the saved email from the initial login screen.

(I'm another jinzora convert, too. Subsonic is the shizzle!)
infocalypse
 
Posts: 8
Joined: Wed May 06, 2009 10:34 pm

Postby jigsaw » Thu May 07, 2009 7:08 am

I like the feature, but it should not be sending the actual password by email in plain text. That's just not safe enough ( and since it's encrypted in the subsonic db it may even be impossible ).
The best implementation of "lost password" is in my mind one of the following:

- At request an email is sent to the registered email-address with a link ( which should be long and cryptic ). This link would give the user direct access to the "Change my password"-settings page. The link should only be valid for a limited period of time, say 24-hours.
- At request the password would be reset to something auto-generated, which is then sent to the registered email-address. This password should only be valid for a limited period of time, say 24-hours. This would then force the user to log in and change the password within a day.

The positive impact of the first alternative is that if anybody else request the password for some other account, the actual user may just ignore the email and keep his current password.
However I guess the second alternative is simpler to implement.
Currently without Subsonic due to hardware failure :(
User avatar
jigsaw
 
Posts: 242
Joined: Sat Oct 13, 2007 12:01 pm
Location: Stavanger, Norway

Postby sindre_mehus » Thu May 07, 2009 9:14 pm

Great suggestions! I've recorded them in my (slightly overweigth) backlog.
User avatar
sindre_mehus
 
Posts: 1955
Joined: Tue Nov 29, 2005 6:19 pm
Location: Oslo, Norway

Postby infocalypse » Wed May 20, 2009 12:34 am

Jigsaw,

I'll agree but disagree. Yes, the implementation of a lost-password mechanism shoud ideally have cryptic links and automated processes for resetting passwords without submitting them in plain text.

That said, this isn't exactly high-security software we're talking about, nor do we have an expansive (or highly paid) development staff to pull engineering resources from.

I don't know about you, but if simplifying this process means there's a better chance of getting it into the next release, I'll gladly accept the addition of a simple email address field for each new account along with a basic "forgot password" link on the main page which emails the password in plain text back to the user.

To ward off security concerns in the short term, perhaps administrators could simply elect to disable this functionality altogether. Again, I like your ideas in principle... but I'm more inclined to vote for the simplest implementation first.
infocalypse
 
Posts: 8
Joined: Wed May 06, 2009 10:34 pm

Postby mixmaster » Wed May 20, 2009 4:22 am

I'm the opposite. Don't skimp on security, there's probably some library out there to handle the bulk of the work and I'd rather have Sindre take his time and do it right rather than implement a substandard solution.
________
mixmaster
 
Posts: 121
Joined: Thu Nov 13, 2008 5:30 am


Return to Feature Requests

Who is online

Users browsing this forum: No registered users and 17 guests