Password forgotten and email link

[♥14steve14]

Just had a customer contact me who is trying to reset their password to their account. As with most of my customers they are of the older generation so it may be a lot of operator error. After speaking to him, I tried changing the password on my account and only had a small problem.

 

To go through what the customer says

 

He has clicked on the password forgotten button when logging in to his account as he cannot remember his password.

 

He is redirected to the next page where he enters his email address and clicks continue.

 

He receives his email and the link to click to change the password is not a link, its just plain text. Should this be a clickable link or is it always just plain text?

 

I asked him to copy and past this text link into his url bar on his internet browser and he claimed he had and the page went to a blank page. When I went through the process I pasted this link into the url bar and it went to the correct page and I was able to change the password.

 

Is there any way to make the text in the password forgotten email a clickable link or even should it be a clickable link already as I have tried replacing both the forgotten password files with standard BS files and the link is still only plain text.

 

Added this to original.

Would it be beneficial and safe to actually send the customers their password in the account created email?

[burt]

Password text/link is made by this:

 

$reset_key_url = tep_href_link('password_reset.php', 'account=' . urlencode($email_address) . '&key=' . $reset_key, 'SSL', false);

It is not a clickable link, only a text link.

 

The way that the system is coded is to defeat a recent "hack" which went worldwide in a few other e-commerce shops and wordpress and so on...I can't remember the exact details though.

 

It's best to leave it as is...

 

However;

I don't see any particular reason why some shops might decide to simply to do this when the password_forgotten link is clicked;

 

1. create new password

2. send new password in email

 

What data do most shops hold ? Put another way;

 

To do "damage" a hacker must have access to the persons email account.

 

Questions to think about;

If hacker has access to their email account, how does that hacker know the person has an account at your shop?

[♥14steve14]

@@burt

 

Thanks for the reply Gary. It makes sense. 

 

I have now also checked the email received on my phone and there the link is clickable, so that may be something to do with the phone and its settings.

 

I have tried to add one of the older change password addons and that never worked so took it off again. I got no errors, it just never changed the password.

 

i also have a master password addon installed, but when using that I need the original password, which the customer cannot remember.

 

What I think I am going to have to do, is to come up with a small tutorial for customers that are not computer literate using pictures to show what they need to do. I will also alter the text on the password forgotten email to explain what to do with the text. That may stop a few phone calls for a while.

[Mort-lemur]

@@14steve14 In my 2.3.4 store my password forgotton links are sent in Html (clickable format) There was a snippet of code posted on here some time ago to set this.

 

I could be wrong but in password_forgotton.php at around line 40 I have this:

// Send correct link when HTML email is used
                if( EMAIL_USE_HTML == 'true' ) {
                  $reset_key_url = '<a href="' . $reset_key_url . '">' . $reset_key_url . '</a>';
                }

[Jack_mcs]

@@14steve14  In answer to Gary's question as to how someone would know the email address exists, the person asking for the reset could be a disgruntled employee or friend of the account owner wanting to cause problems.  So I suggest you add code to the password_reset.php and the account details files to send an email to the account owner letting him know the password and or email address has been changed. 

[burt]

@@14steve14 yes, some email interfaces automatically make a url into a link. Google Mail does this...

 

But the actual text is not a link. I'm pretty sure that in fact most email interfaces do it...so you could probably do something like:

 

$reset_key_url = '<a href="' . tep_href_link('password_reset.php', 'account=' . urlencode($email_address) . '&key=' . $reset_key, 'SSL', false) . '">Click Me</a>';

I haven't tested it but it looks about right.

[♥14steve14]

I think my problem was really customer operator error, or at least operator confusion. I do think that he is not alone as checking in the action recorder reports there are a few customers that seem to be trying more than once to change their passwords. I used to send the password to the customer in the account creation email, but some complained so I removed the code.

 

I have just altered the text in the password forgotten email to briefly explain that the text needs to be cut and pasted into the address bar. Once that is done the process works as it should.

 

I am also going to look into figuring out a way too send another email letting the customer know that the password has been changed but first I must run the business.

[frankl]

@@14steve14

 

I send the password to the customer when they register, but only the first letter and last letter and the rest filled with xxxs. So if their password is doggy, I send them dxxxy. Usually people can remember their password when they see it like that.

[♥kymation]

If hacker has access to their email account, how does that hacker know the person has an account at your shop?

 

My email box is full of ads from businesses I have bought from. Most of them I never signed up for, but they don't seem to care. So yes, that hacker would have a long list of places where I have (or had) an account.

 

Worse yet, some of the bigger online sellers (thank you Amazon) keep your credit card info for quick reorders. Change the delivery address and the hacker has a nice Christmas present at your expense.

 

Regards

Jim

[burt]

I had not considered that people leave their inbox full of old stuff...

 

Even so...does it change anything ?

 

Let's say I have access to your email inbox, and in that inbox is an email from "XYZ Co".

I don't know your "XYZ Co" password, so I do a password reset at their end.

 

At this point...from XYZ company;

You either get sent an email telling you the new password.

Or you get sent an email telling you to do something to reset your password.

 

As I have access to these emails...I get to read them as they come in, act on them, then delete them.

Then go on a buying spree.

 

To guard against this takes "something else", separation of password and email.

Perhaps SMS ? Some sort of two factor authorisation.

 

Anyway, I think I maintain my stance on "it's kinda ok I guess" with regards to sending password direct to email. That's a shopowner decision, as a coder what we have at osC is quite good as it is asking the shopper to do it all, and it is protected (if I recall correctly) to stop a brute strength password attack vector.

[tgely]

There are two part of email boundaries. plain/text and html/text part. HTML link is working in HTML part and text link is working in plain part as mail standards stated. v2.3.4 has no well figured parts officially. Its fixed in 2.4

[♥14steve14]

@@Gergely

 

Does the forgotten password system also send an email to the customer when the password has been changed in 2.4. It should really.