Occasionally a user, having forgotten, asks me for their password. All I can do is change the password and tell them the new one.
Does it REALLY make sense to "hide" the user passwords from the administrator? We're not talking bank accounts here.
When one of our users loses their password, I usually just send them a link to the Lost Password page:
Oh Thomas, I suspect you might get a barrage of responses on this one….
You are not just hiding them from admin, but also from any hacker clever enough to breach the various levels of security you have in place.
I also disagree over the implication that the data stored is not as important as bank accounts. On most sites we are storing vital records of living people, which makes them extremely vulnerable to identity theft, a VERY major issue today. In many countries such protection is required by law.
The principles used by PGV conform to what most people would regard as 'best practice' for protecting personal data. It is important that we do not relax these requirements.
My other thought is that it is VERY important to instill in all users the great need for them to take serious care and thought over their passwords. Being able to emphasise that even admin can't access them helps you do that. So don't change their password and give them a new one. Make them take responsibility (or risk losing access) by doing as Matt recommends and pointing them to the Lost Password function.
Another voice from the peanut gallery -
I wholeheartedly agree with Matt, and how he handles it. With over 300 users, we get at least 2-3 requests per week, where they forget their U/N and-or P/W's. While we will provide a U/N, AND remind them that both U/N and P/W are case-sensitive, we always point the user to the P/W function.
And, like KIWI, I think it imperative to remind them that security of their access via P/W and overall access is paramount, given their access to private data on living persons - addresses, phones, emails, DOB's, POB's, mother's maiden name, etc.
Nope, we would not support admin access to password visibility.
Actually, there's a very good technical reason why we can't tell users what their passwords are:
The encryption algorithm is one-way. This means that the database stores the encrypted version of the password set up by the user. When the user logs in, the entered password is encrypted using the same algorithm. If the two encrypted passwords match, the user must have entered the login password correctly.
Log in to post a comment.