proposal for user selected password during registration
|Reported by:||_ck_||Owned by:|
bbPress should enhance the registration process to the modern friendly method of allowing the user to create their own password rather than an initial harsh random one that is hard to remember/copy.
This improvement would have an important benefit of not sending real passwords via email in clear text and archived in their email accounts for hackers to find.
two mandatory additional fields on the register.php page, one for the password, a second to verify since it will be hidden as they type, ala *
the currently generated random password can be used instead in an email, still sent and required to be checked, as an authorization code to prove ownership of an email account
"please click this link to activate your account http://bbpress.org/forums/?account-verify=583%$#1*"
This auth code would have to be stored in user meta data, kept as md5/hash etc. like the current password method uses, so a hacker cannot take advantage of un-activated accounts if they get ahold of the db.
The accounts would have to start on inactive status and be upgraded to active, deleting the auth code after activation to prevent re-use.
A user who forgets their password would be sent a new auth code, instead of a replacement password - then upon verifying with the link, they would get taken to a page to enter a new password for themselves.
Change History (9)
- Milestone changed from 0.9 to 1.0-beta & XML-RPC
- Version set to 1.0-alpha (trunk)
- Resolution set to wontfix
- Status changed from new to closed