Loading...
 
Features / Usability

Features / Usability


Password Reminder Problems

posts: 3665 United States

For some of my users, when they request a password reminder (tiki-remind_password.php) they get the reminder email, but the password is blank (empty).

I'm using 1.8.5 and have Remind passwords by email = Y.

When I look at the users_users database table, about half my users have a blank password field. However, one of those users is me — I'm able to log on just find (I remember my password), but if I try the Remind Me function, I also get the blank email.

TIA,

-R

posts: 3665 United States

> Update your template for the mail ?
>


Thanks, but that's not it — when I use it for some uses (including myself) the email includes the password.

Anyone know why the password field in the users_users db table would be blank for users? But they can still login?

-R


posts: 3665 United States

There's something wrong in my database. For some users, in the users_users table their password is blank, but there is a value for the hash?

Anyone know how I can ressurect the "missing" passwords?

Is there no way (as admin) that I can reset other users' passwords?

-R


posts: 1092

Perhaps I am wrong, but so far I know
When you are in the situation admin- >login -> "Store plaintext passwords" = n
The password field that you find in the database is not used. The real password is in the md5. On my site, all the password field are empty, and it is working.
Did you change this option one day?

If Store plaintext passwords" = y
The password field is resent at remind password - at least I think I don't use this option.


Perhaps something more important to chack what is happening when a user asks for a pswd reminder, is the field provpass filled with something no empty? This is the temporary password (at least in the case Store plaintext passwords" = n)

When you ask for a new password, the md5 is changed (I think it is changed now, the md5 will be changed only when you activate the confirmation of a remind password)

posts: 3665 United States



Here's a detailed example:

User A, in table user_user, shows:

  • password = blank
  • provpas = blank
  • hash = some value

User A can login fine.
Using the remind feature however, $pass is blank.

User B, in table user_user, shows:

  • password = some value
  • provpas = blank
  • hash = some value

User A can login fine.
Using the remind feature, $pass is valid value.

I have both:

  • Remind passwords by email = Y (My understanding is that this should send the user their current password — not generate a new one, right?)
  • Store plaintext passwords = Y (Yes, I did at one point change this from N to Y, does that screw up my database?)



Is there a way to un-md5 the hash values for users (like A, in the above example) so I can reclaim their password value?


> Perhaps I am wrong, but so far I know
> When you are in the situation admin- >login -> "Store plaintext passwords" = n
> The password field that you find in the database is not used. The real password is in the md5. On my site, all the password field are empty, and it is working.
> Did you change this option one day?
>
> If Store plaintext passwords" = y
> The password field is resent at remind password - at least I think I don't use this option.
>
>
> Perhaps something more important to chack what is happening when a user asks for a pswd reminder, is the field provpass filled with something no empty? This is the temporary password (at least in the case Store plaintext passwords" = n)
>
> When you ask for a new password, the md5 is changed (I think it is changed now, the md5 will be changed only when you activate the confirmation of a remind password)
>
>

posts: 3665 United States



Here's a detailed example:

User A, in table user_user, shows:

  • password = blank
  • provpas = blank
  • hash = some value

User A can login fine.
Using the remind feature however, $pass is blank.

User B, in table user_user, shows:

  • password = some value
  • provpas = blank
  • hash = some value

User B can login fine.
Using the remind feature, $pass is valid value.

I have both:

  • Remind passwords by email = Y (My understanding is that this should send the user their current password — not generate a new one, right?)
  • Store plaintext passwords = Y (Yes, I did at one point change this from N to Y, does that screw up my database?)



Is there a way to un-md5 the hash values for users (like A, in the above example) so I can reclaim their password value?


> Perhaps I am wrong, but so far I know
> When you are in the situation admin- >login -> "Store plaintext passwords" = n
> The password field that you find in the database is not used. The real password is in the md5. On my site, all the password field are empty, and it is working.
> Did you change this option one day?
>
> If Store plaintext passwords" = y
> The password field is resent at remind password - at least I think I don't use this option.
>
>
> Perhaps something more important to chack what is happening when a user asks for a pswd reminder, is the field provpass filled with something no empty? This is the temporary password (at least in the case Store plaintext passwords" = n)
>
> When you ask for a new password, the md5 is changed (I think it is changed now, the md5 will be changed only when you activate the confirmation of a remind password)
>
>


Upcoming Events

1)  18 Apr 2024 14:00 GMT-0000
Tiki Roundtable Meeting
2)  16 May 2024 14:00 GMT-0000
Tiki Roundtable Meeting
3)  20 Jun 2024 14:00 GMT-0000
Tiki Roundtable Meeting
4)  18 Jul 2024 14:00 GMT-0000
Tiki Roundtable Meeting
5)  15 Aug 2024 14:00 GMT-0000
Tiki Roundtable Meeting
6)  19 Sep 2024 14:00 GMT-0000
Tiki Roundtable Meeting
7) 
Tiki birthday
8)  17 Oct 2024 14:00 GMT-0000
Tiki Roundtable Meeting
9)  21 Nov 2024 14:00 GMT-0000
Tiki Roundtable Meeting
10)  19 Dec 2024 14:00 GMT-0000
Tiki Roundtable Meeting