John Posted January 7, 2016 Report Posted January 7, 2016 Hello All, This is a feature request I hope no one will have to use. When a database gets breached, or there is a flaw in the security of Blesta, we might need to require all clients to change their passwords (and two factor auth tokens). Currently, there is no way to do this. Most sites just make you login, and then you can change your password. While this is very convenient for users, it is also extremely convenient for the person who managed to dump the database. Therefore, I recommend that after the user logs in, they get sent an email with a PIN number, which they have to put in to the webpage. Then, it will allow them to reset their password. If they do not enter the PIN, then staff would get an alert, because this could mean that the clients account is breached. While the Blesta team is very good at securing their product, this important feature is missing. I view it as a must-have. Right now, if a database were to get dumped we would have to manually reset clients passwords. (VERY time consuming) John Quote
Cody Posted January 7, 2016 Report Posted January 7, 2016 There's already a simple solution for this in the event that your database is leaked. You run the following query on your database: UPDATE `users` SET `password` = ''; ALL Users will now be unable to login and MUST request a password reset. We're unlikely to build this into the system because this is such an exceedingly rare case, and I feel that since it is such an important decision to make, that it ought to be done by someone with direct access to the database already. Michael 1 Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.