Not logged in. · Lost password · Register
Forum: General Help and Support Features and Functionality RSS
recover password with email (lost password)
Avatar
Cyrille37 #1
Member since Feb 2010 · 12 posts · Location: France
Group memberships: Members
Show profile · Link to this post
Subject: recover password with email (lost password)
Hi,
I could not find a plugin to permits password recovery with email nor username.
Users are often lost with their unknow username.

@Tech: I did not yet read the doc about that, but is there event or hooks to add this functionality ?

Cheers,
Cyrille.
Avatar
Cyrille37 #2
Member since Feb 2010 · 12 posts · Location: France
Group memberships: Members
Show profile · Link to this post
I'd a look at function html_resendpwd() in inc/html.php and there is no event or hook possible.
What's the right method to overload such dokuwiki behavior ?
Thanks.
Avatar
virk #3
Member since Aug 2008 · 503 posts · Location: Aachen, Germany
Group memberships: Members
Show profile · Link to this post
I do not understand completely what you want; but do You know about the possibilities in the configuration ("admin"-secion and the "configuration") of dokuwiki?
Avatar
Cyrille37 #4
Member since Feb 2010 · 12 posts · Location: France
Group memberships: Members
Show profile · Link to this post
Hi @virk,

I just want to permit recovering lost password with email. Actually Dokuwiki permits recovering password only with the username, but people usually forgot their username.
Avatar
turnermm (Moderator) #5
Member since Oct 2009 · 3896 posts · Location: Canada
Group memberships: Global Moderators, Members, Super Mods
Show profile · Link to this post
You mean, then, that you want some system of recovery which starts with email address only?
Myron Turner
github: https://github.com/turnermm
plugins, templates: http://www.mturner.org/devel
Avatar
Cyrille37 #6
Member since Feb 2010 · 12 posts · Location: France
Group memberships: Members
Show profile · Link to this post
Yes, exactly
Avatar
Cyrille37 #7
Member since Feb 2010 · 12 posts · Location: France
Group memberships: Members
Show profile · Link to this post
Hello
This subject does not seem to be famous.
I'm surprized, because many many users of dokuwiki instances around me create new user for contributing because they lost their password and username. They only remember their email adress.
Cheers.
Avatar
SFITCS #8
User title: Scott Ferguson
Member since Dec 2014 · 455 posts · Location: Canberra, Australia
Group memberships: Members
Show profile · Link to this post
This subject does not seem to be famous.
Oh? Perhaps not on these forums, but it certainly is on security forums. (under top 10 things not to do)

As the listed site contact for a number of DokuWiki sites (and other websites), I occasionally get emails from people who (say they) have forgotten their username (and who have lost their passwords for their email accounts). If they can verify their identity -  I reset their account. That is the issue. i.e. if they remember their email accounts but can't remember their (DokuWiki) username and have deleted their registration email, I have to make a judgement call (are they the real person that registered the DokuWiki account?). Most of the time I find they are not the person that registered the original DokuWiki account.... (I check the server connection records - if the original registration was from Australia/USA/UK, and the request to reset comes from China or Russia or a proxy (on my list) then I have a duty to deny their request. Your idea of security and obligation to your Dokuwiki users may vary from mine.

tl/dr? Security is hard.
Don't do it!
If "they" can't keep track of their usernames they should register for a new account. The reason DokuWiki and most web applications don't allow this is for good security reasons.
It's possible to automate the process, but for the reasons stated above I'm not providing advice on how to do so. I'd strongly suggest you follow Best Practise and list your email as the tech contact for the domain, if people truly forgot their username and lost their original registration email (why would you delete it?) - they can email you and convince you they are not identity thieves - and provide a compelling reason why you should provide them with the original username so they can reset their password (or do you truly believe they remember the password and email account but not the username?). Automating the process will make many more enemies (with just cause) than it will make friends.

Don't forget that people often share email accounts. You'll find many crime files where someone got access to their "friend/partners" web account by simply claiming they forgot the username (then using the username to request a password reset).

Most simple answer:- tell them to register a new username, that way you can be sure you are not helping someone steal someone else's identity.
Avatar
Cyrille37 #9
Member since Feb 2010 · 12 posts · Location: France
Group memberships: Members
Show profile · Link to this post
Hi & thanks @SFITCS

I understand, but not really agree with your arguments:
- websites I done and/or manage permit to recover access with email and we never had problem.
- Government, institution, e-commerce websites permit to recover access with email, like a lot of websites.

How ever, I think recovering access with email! it's not a security concern, but a functionality concern. User and Admin has to make the choice, ans developper just give the functionnality ;-)

Best regards, Cheers
Cyrille.
Avatar
SFITCS #10
User title: Scott Ferguson
Member since Dec 2014 · 455 posts · Location: Canberra, Australia
Group memberships: Members
Show profile · Link to this post
Quote by Cyrille37:
Hi & thanks @SFITCS

I understand, but not really agree with your arguments:
- websites I done and/or manage permit to recover access with email and we never had problem.
- Government, institution, e-commerce websites permit to recover access with email, like a lot of websites.

How ever, I think recovering access with email! it's not a security concern, but a functionality concern. User and Admin has to make the choice, ans developper just give the functionnality ;-)

Best regards, Cheers
Cyrille.

I agree - it's a functionality you (administrator) should control. For the reasons I stated I understand why every CMS I've worked with doesn't include that functionality as a default (but it's still possible, just unsupported - simply look at the code, you need to change 2 lines in DokuWiki).

I gently disagree that it's not a security concern. :)

:) YMMV. As may your definition of "by email".
Yes - we reset passwords by email.
No - we don't reset usernames by email without deleting the original username access (in which case "you" would need to present to management first). Perhaps you refer to a part of Europe that doesn't use LDAP or Active Directory(?) for "Government and institution" websites (I'm not a lawyer, nor have I worked in every part of "Europe"). In many cases there are Rainbow keys or other methods of dual authentication that would also need to be reset.

Note that I have little experience with small websites or local government - and I recognise that your clients may not care about my experience.

I've worked in the UK and the USA (and other places)... in my limited experience (government and private enterprise) it's the same as here in Australia. BP is we (administrators) will not reissue usernames if someone loses it (call your boss or the Help desk and we'll remind you of your username - and restore the emails you deleted in your email account on our email server). Generally we use central authentication so it's not possible (single login). i.e. if we reset the username for DokuWiki we'd be locking them out of every other network resource their profile allows.

tl/dr? Like it or not, the reasons I have stated are the same ones that mean you are unlikely to find a solution to your problem. Ditto for Concrete, CMS Made Simple, WordPress, Contao, Dolibar, Drupal, Magento, Moodle, ModX, PrestaShop, MoveableType, SilverStripe, Typo3 and many other "common" web applications (unless things have changed since we last supported them).
We'll reset passwords by sending them to the registered email account - but only if the user knows the username. Which is generally part of their profile (for every government department client my employers have worked with - that's generally mandated by law in the EU and the USA. Hint: ITIL). :)
Avatar
Cyrille37 #11
Member since Feb 2010 · 12 posts · Location: France
Group memberships: Members
Show profile · Link to this post
Quote by SFITCS:
... simply look at the code, you need to change 2 lines in DokuWiki) ...

Hi,
Yes, we touch my problem. I read the code and could not find how to change the behavior with a plugin. This part of code seems to be not extendable/overridable. I do not want to do hard coded change in core code. Perhaps I miss some Dokuwiki knowledge.
Thanks for discussion
Cyrille.
Avatar
SFITCS #12
User title: Scott Ferguson
Member since Dec 2014 · 455 posts · Location: Canberra, Australia
Group memberships: Members
Show profile · Link to this post
In retrospect - I'm sorry if my response seemed too negative - let me think about the appropriate way to provide an answer. I suspect the correct thing to do is to reply via PM (so that readers don't mistake it for an official method, leading to an unfair complaint that DokuWiki promotes bad security). I might not get a chance to do that until the weekend.

NOTE: Please consider the legal implications if it later turns out you accidentally assist someone to steal someone else's account. (sometimes keeping losers users happy comes at a price :-(, and, I am not a DokuWiki developer - my opinion should not be conflated with an official, authoritative response.)

In the meantime - I'd still suggest that you put your email address into the tech. contact field of the DNS record so that visitors (people that "forgot" their username) can contact you for an "unusual" request
grep "Tech Contact Email:" $(whois $YourDokuWikiDomain)
Substitute your actual DokuWiki domain for $DokuWikiDomain.
Ideally that would be accessible via the site contact page (not just the whois record).

Thanks for your patience.
Avatar
andi (Administrator) #13
User title: splitbrain
Member since May 2006 · 3187 posts · Location: Berlin Germany
Group memberships: Administrators, Members
Show profile · Link to this post
Please note that email addresses in DokuWiki may not be unique (some backends may enforce it, the default plain one does not).
Read this if you don't get any useful answers.
Lies dies wenn du keine hilfreichen Antworten bekommst.
Close Smaller – Larger + Reply to this post:
Verification code: VeriCode Please enter the word from the image into the text field below. (Type the letters only, lower case is okay.)
Smileys: :-) ;-) :-D :-p :blush: :cool: :rolleyes: :huh: :-/ <_< :-( :'( :#: :scared: 8-( :nuts: :-O
Special characters:
Go to forum
Imprint
This board is powered by the Unclassified NewsBoard software, 20150713-dev, © 2003-2015 by Yves Goergen
Current time: 2017-11-21, 08:56:31 (UTC +01:00)