Password Reset for UCP

I have an installation of FreePBX, and I’m about to roll it out to all users. What I’ve found difficult is the functionality of resetting a user’s UCP password.

When I first set up the system, which was a good 5 months ago, users may have gotten an email with their login password, but as UCP hadn’t been implemented (or at least installed) yet, they probably disregarded the email.

Now, I’m ready to switch over to UCP, and I would like an easy procedure to reset a user’s password, have the system send them a temporary password, then they would be required to change the password upon first login. Currently, if I select the option to send the user a welcome email, their password shows <hidden>. I understand exactly how bad of a practice it is to send passwords in cleartext, which is why I’d like to have a requirement to change their password on first login. Also, if I go through all of my users and set their passwords to something random and manually send them an email, I have to a) manage all those passwords and emails, and b) I have no way to ensure that they don’t just keep that password.

In my ideal world, I’d be able to right-click on their username (or select an option in the user management screen) that would generate a random password for them, send said password in email, and invite them to change the password upon first login. Additionally, this temporary password would expire after a set amount of time, so if it is intercepted, and the user never logs in, then there is no need to follow up with each user to ensure they updated their password. People whose temporary logins have expired can just contact the helpdesk, and a new reset request can be sent to their email address.

I realize this isn’t a small procedure, but it’s very much the standard for most sites requiring a password. The administrator never needs to know the user’s password, and all communications with the permanent password are encrypted via SSL. (I have my installation set to SSL only.)

Are there any parts of the scenario above that are currently available? For the short term, it would be great if I could manually enter a new password for them and have that password emailed to them. Then I could stand over their shoulder and make sure they change it to something else, and I don’t think it would be all that difficult to change the <hidden> message in the email to their actual password. (There may already be a switch in place of which I am unaware that will do this.)

Long term, it would be wise (and super great) if FreePBX could consider a temporary password feature, so that we can have good user security.

Thanks in advance for any advice you could offer me. Have a great day!

-Craig

1 Like

This is where I want to go with UCP, password resets and regenerating passwords and temp passwords, etc. So yes great points!

Something I am really not sure about is we are slowly needing a way to store passwords in the database, not in plain text but through some encryption that can be decoded. But thats also bad, the problem is for things like XMPP and BRIA we need to send the password to those services in plain text…

OK, awesome! My biggest fear was that I would look like a big dummy because this sort of thing was already possible and I didn’t know about it.

So in the meantime, is there any sort of switch or setting that would include the password, rather than the <hidden> message, in the user email?

No you’d have to modify the source. Hopefully in the next 4 weeks or less I can get this done for you, it’s something very important to me.

Great. I won’t go modifying any source. It’s something I can live with for a while. (If I could modify it to help you out, I’d do it, but I would just break it, I’m sure…)

Thank you for the quick reply, and thank you for all the hard work you guys do on this project.