Subsonic Forum

It would be really great for users to be able reset their own password, for those of us that have a large number of losers....i mean users that forget their passwords.

Just switched from Jinzora today - Subsonic is ahhh-mazing. Well done.

I'll second this one, big-time. I get forgotten-password requests from friends constantly. It would be awesome to be able to record the email address for each account and simply have a button for firing off the forgotten password to the saved email from the initial login screen.

(I'm another jinzora convert, too. Subsonic is the shizzle!)

I like the feature, but it should not be sending the actual password by email in plain text. That's just not safe enough ( and since it's encrypted in the subsonic db it may even be impossible ).
The best implementation of "lost password" is in my mind one of the following:

- At request an email is sent to the registered email-address with a link ( which should be long and cryptic ). This link would give the user direct access to the "Change my password"-settings page. The link should only be valid for a limited period of time, say 24-hours.
- At request the password would be reset to something auto-generated, which is then sent to the registered email-address. This password should only be valid for a limited period of time, say 24-hours. This would then force the user to log in and change the password within a day.

The positive impact of the first alternative is that if anybody else request the password for some other account, the actual user may just ignore the email and keep his current password.
However I guess the second alternative is simpler to implement.

Great suggestions! I've recorded them in my (slightly overweigth) backlog.

Jigsaw,

I'll agree but disagree. Yes, the implementation of a lost-password mechanism shoud ideally have cryptic links and automated processes for resetting passwords without submitting them in plain text.

That said, this isn't exactly high-security software we're talking about, nor do we have an expansive (or highly paid) development staff to pull engineering resources from.

I don't know about you, but if simplifying this process means there's a better chance of getting it into the next release, I'll gladly accept the addition of a simple email address field for each new account along with a basic "forgot password" link on the main page which emails the password in plain text back to the user.

To ward off security concerns in the short term, perhaps administrators could simply elect to disable this functionality altogether. Again, I like your ideas in principle... but I'm more inclined to vote for the simplest implementation first.

I'm the opposite. Don't skimp on security, there's probably some library out there to handle the bulk of the work and I'd rather have Sindre take his time and do it right rather than implement a substandard solution.
________