Hi!

I recently lost my password to our issue tracker. I had
to get soemone to reset it using the commandline
interface, which is not very convinient... There should
be some way to reset the password like there is on most
sites that feature user accounts.

Regards,
Tobias

Logged In: YES 
user_id=764

in fact, it would be nice to store the plaintext password in
roundup so
a user can request the password to be sent to him.

Logged In: YES 
user_id=113859

I'm not sure that saving a plain text password is a good idea.
Sending this out per email also usually is common but not
the best of ideas security wise. I'd like to keep it saved
in an encrypted state.

I'd like to see a way to request a new password which should
be set from random. Mailman has something like this to add
users. You just add somebody and they get a password in email.

For the admin resetting the password using roundup-admin -i
 instances/tracker

set user10 password="juhu"

is easy and scriptable. :)

Logged In: YES 
user_id=764

while I completely agree with you about the security issues,
 I don't
think that storing the passwords plaintext on the server
side will
hurt anybody. And doing so allows admins to choose how to handle
them, i.e. whether to add a script to send out passwords
plaintext if
requested, or whether just to reset it. And since you cite
mailman,
it also allows monthly reminders containing plaintext
passwords :-)

Again, the question is not whether roundup based trackers should
send out plaintext passwords, but whether it should be
possible for
admins to write such scripts.

Logged In: YES 
user_id=6405

The password encryption scheme is flexible at present - all it needs is 
to be configurable. The default will always be SHA encryption :) 
 
I'd be happy to accept a CGI form action that resets a user's password 
and emails the password  to them (based on a supplied email address). 
A more complete solution would mimic the sourceforge forgotten 
password system (you have no idea how often I get email indicating 
that someone else thought they had the sf username "richard" :) 
 
The latter implies extra functionality in the mail gateway which isn't 
possible at present :( 
 

Logged In: YES 
user_id=598066

Seconded -- it's posssible to create users with blank 
passwords, and it's possible to later set a password, but 
it's not currently possible to reset the password to 
blank.

Logged In: YES 
user_id=598066

<blush> Ignore my comment below, I was thinking of a 
different issue. (No way for a user with a password set to 
clear it to a blank password -- I'll raise as a separate issue 
once I've thought it through.)

I tend to agree with Bengt and Richard on the saving-
plaintext issue -- implementing "forgotten my password" 
as "set a random password and email it to me" is fine. Yes, 
the user then has to change his password back to 
something he _can_ remember, but that's not a big deal 
and shouldn't happen very often.

Note however that "forgotten my password" on a publicly-
accessible tracker can be abused: if J Random Annoyance 
guesses your username and hits "forgotten password" on 
your behalf you get an unwanted email and, in the no-stored-
plaintext model, an unwanted password change...

I'd guess adding it to the security model as a permission 
which may or may not be granted to Anonymous would be 
adequate configuration.

Logged In: YES 
user_id=6405

I'll most likely use the scheme I've implemented for PyPI (http://pypi.sf.net/) 
which is to: 
1. if the user remembers their username, they enter it and roundup sends 
them an email to their primary email address with a url to click on to reset 
the password, or 
2. if they know the email address they registered with (or follow the above 
link) then they enter it and the system sends them an email with their new 
password. PyPI also reminds them what their username is in the same email, 
and I think I'll do that too. 
 

Logged In: YES 
user_id=6405

This is implemented in CVS HEAD.