Thread Rating:
  • 1 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Unable to login after password reset
#1
Somebody on my page entered into password reset page - and he tried to reset the password...

Didn't worked, he also tried some tricks as I can see it now in acces log, but...

when someone finds correct username and hits password reset - you are unable to access site!!!

Is it possible to block password reset feature? Mine doesn't work either (mail php is blocked)
Reply
#2
I think you can just delete the .reset file
NEW: SA Admin Toolbar Plugin | View All My Plugins
- Shawn A aka Tablatronix
Reply
#3
No, you have to delete admin.xml and rename admin.xml.reset to admin.xml - because admin.xml contains new password which was emailed to me and since mail will never come to me - my account is unaccesible Smile

It would be nice to have an opportunity to disable this option (i can restore password through FTP if needeed) so no asshole would be able to disable my site like this.

Anyway - It's definitely better to use different username than admin Smile - or - to use email as passphrase to reset password.

...and if somebody will reset your password more than once - you will have use xml from backup or edit you password, because both files will contain a new random generated password
Reply
#4
workarounds,
I guess you could block it with a htacess file, and add ip restrictions to admin path.
Also do not use admin as username
Also change the admin folder name using GSADMIN

Also you can reset passwords it by disabling salt and generating a sha1 password and editing the file.
NEW: SA Admin Toolbar Plugin | View All My Plugins
- Shawn A aka Tablatronix
Reply
#5
Yes, I already found out everything Smile thank you... IP restriction is useless - since I need to login from different places.

But best option would be possibility to disable password reset or - reset password by clicking on unique link which will be sent to me after password reset request... Sad
Reply
#6
I'm having a similar issue. I did the password reset however, the emails aren't coming to me. I've comfirmed in the admin.xml that the password reset emails should be coming to me.

I found previous password reset emails in my inbox and noticed that the passwords were 9 characters long. However, the password listed in the admin.xml and admin.xml.reset files are much longer. I try those passwords and they don't work.

I'm currently locked out of my site. Can anyone help? Thanks!
Reply
#7
Passwords stored in admin.xml are encrypted, so backup these files (just to be sure) and rename admin.xml.reset to admin.xml - it should contain your old password if you didn't try to reset passwd more than once. If you do - you need to generate a new password and edit replace the encrypted string with new one.
Reply




Users browsing this thread: 1 Guest(s)