It would be really great for users to be able reset their own password, for those of us that have a large number of losers....i mean users that forget their passwords.
Just switched from Jinzora today - Subsonic is ahhh-mazing. Well done.
Lost password? Click here
Moderator: moderators
6 posts
• Page 1 of 1
Lost password? Click here
by gerbilfur » Thu Mar 19, 2009 10:04 pm
- gerbilfur
- Posts: 1
- Joined: Thu Mar 19, 2009 10:01 pm
ditto
by infocalypse » Wed May 06, 2009 10:36 pm
I'll second this one, big-time. I get forgotten-password requests from friends constantly. It would be awesome to be able to record the email address for each account and simply have a button for firing off the forgotten password to the saved email from the initial login screen.
(I'm another jinzora convert, too. Subsonic is the shizzle!)
(I'm another jinzora convert, too. Subsonic is the shizzle!)
- infocalypse
- Posts: 8
- Joined: Wed May 06, 2009 10:34 pm
by jigsaw » Thu May 07, 2009 7:08 am
I like the feature, but it should not be sending the actual password by email in plain text. That's just not safe enough ( and since it's encrypted in the subsonic db it may even be impossible ).
The best implementation of "lost password" is in my mind one of the following:
- At request an email is sent to the registered email-address with a link ( which should be long and cryptic ). This link would give the user direct access to the "Change my password"-settings page. The link should only be valid for a limited period of time, say 24-hours.
- At request the password would be reset to something auto-generated, which is then sent to the registered email-address. This password should only be valid for a limited period of time, say 24-hours. This would then force the user to log in and change the password within a day.
The positive impact of the first alternative is that if anybody else request the password for some other account, the actual user may just ignore the email and keep his current password.
However I guess the second alternative is simpler to implement.
The best implementation of "lost password" is in my mind one of the following:
- At request an email is sent to the registered email-address with a link ( which should be long and cryptic ). This link would give the user direct access to the "Change my password"-settings page. The link should only be valid for a limited period of time, say 24-hours.
- At request the password would be reset to something auto-generated, which is then sent to the registered email-address. This password should only be valid for a limited period of time, say 24-hours. This would then force the user to log in and change the password within a day.
The positive impact of the first alternative is that if anybody else request the password for some other account, the actual user may just ignore the email and keep his current password.
However I guess the second alternative is simpler to implement.
Currently without Subsonic due to hardware failure 
-
jigsaw - Posts: 242
- Joined: Sat Oct 13, 2007 12:01 pm
- Location: Stavanger, Norway
by sindre_mehus » Thu May 07, 2009 9:14 pm
Great suggestions! I've recorded them in my (slightly overweigth) backlog.
-
sindre_mehus - Posts: 1955
- Joined: Tue Nov 29, 2005 6:19 pm
- Location: Oslo, Norway
by infocalypse » Wed May 20, 2009 12:34 am
Jigsaw,
I'll agree but disagree. Yes, the implementation of a lost-password mechanism shoud ideally have cryptic links and automated processes for resetting passwords without submitting them in plain text.
That said, this isn't exactly high-security software we're talking about, nor do we have an expansive (or highly paid) development staff to pull engineering resources from.
I don't know about you, but if simplifying this process means there's a better chance of getting it into the next release, I'll gladly accept the addition of a simple email address field for each new account along with a basic "forgot password" link on the main page which emails the password in plain text back to the user.
To ward off security concerns in the short term, perhaps administrators could simply elect to disable this functionality altogether. Again, I like your ideas in principle... but I'm more inclined to vote for the simplest implementation first.
I'll agree but disagree. Yes, the implementation of a lost-password mechanism shoud ideally have cryptic links and automated processes for resetting passwords without submitting them in plain text.
That said, this isn't exactly high-security software we're talking about, nor do we have an expansive (or highly paid) development staff to pull engineering resources from.
I don't know about you, but if simplifying this process means there's a better chance of getting it into the next release, I'll gladly accept the addition of a simple email address field for each new account along with a basic "forgot password" link on the main page which emails the password in plain text back to the user.
To ward off security concerns in the short term, perhaps administrators could simply elect to disable this functionality altogether. Again, I like your ideas in principle... but I'm more inclined to vote for the simplest implementation first.
- infocalypse
- Posts: 8
- Joined: Wed May 06, 2009 10:34 pm
by mixmaster » Wed May 20, 2009 4:22 am
I'm the opposite. Don't skimp on security, there's probably some library out there to handle the bulk of the work and I'd rather have Sindre take his time and do it right rather than implement a substandard solution.
________
________
- mixmaster
- Posts: 121
- Joined: Thu Nov 13, 2008 5:30 am
6 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 27 guests