• Plesk Uservoice will be deprecated by October. Moving forward, all product feature requests and improvement suggestions will be managed through our new platform Plesk Productboard.
    To continue sharing your ideas and feedback, please visit features.plesk.com

Problem getting 'lost password' for mail clients

H

Henk van Andel

Guest
Anyone can recover their password when logging in to Plesk. Including mail clients, logging in as [email protected].

However, I found that:

The original password is send to a known e-mail address; no matter what address is entered, Plesk sends it to [email protected]. The client cannot access this because he lost his password! Catch 22? Or do I do something stupid? You can enter an email-address for receiving the lost password, but addresses other than [email protected] are being refused. Logically, because otherwise everybody could steel the password of anybody just by knowing his e-mail address for logging in.
Any comments? Suggestions?

Moreover, sending the original password in clear text by e-mail is unsafe. Plus it implies that the server stores the original passwords (hopefully encrypted?!) where they could e hacked.
To me it seems preferable to send a new temporarely password and urging/forcing the client to change it immediately over https.
 
Back
Top