By snowweb on

When a user on my site (at http://forum.gmahoa.info ) requests a new password the following email is sent...

*****************************************

test1,

A request to be reminded of your password has been received.

Your login details are as follows:

username: test1
password: !password

You may now login at http://forum.gmahoa.info

After logging in, you may choose a new password by visiting your profile.

--
Gardens of Maia Alta Forum

*****************************************

Please note the !password.

I don't think it should be like that. How do I make it send the current password to the user?

Thanks for you help.

peter

Categories: Drupal 6.x

Comments

Anonymous’s picture

Anonymous (not verified) commented

Yeah I'm having the same issue. I'm currently trawling though the forums to try and find out more information..

Apparently it's a security 'feature' to do with password encryption and the way that passwords are stored. Drupal generates an md5 hash of the password and stores that in the database. Which I'm lead to believe produces a non revivable one way verification process or something?

"It's evil to send passwords, even temporary passwords, in the clear in emails. So, drupal uses 1-time login links, instead, which redirect you to the page to set a real password. Those lead to better security overall. So you want to use !login_url, not !password."

But it puzzles me why on earth they leave the option for !password it then!?

Especially from a usability perspective I would much rather just hit one button and have my password emailed out to me! Considering how trivial the security of user accounts are on most of the websites I'm making I wish this function actually worked... gggggrrrrrhh!