[CONFSERVER-32692] Add a configuration setting that allows an Admin to disable the "Forgot Password?" functionality.

Type: Suggestion
Resolution: Unresolved
Fix Version/s: None
Component/s: None
Labels:

Support reference count:
1
Feedback Policy:

We collect Confluence feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion.

There should be a built in configuration setting that allows an Admin to simply disable the "Forgot Password?" functionality without having to add styles and modify templates.

We're currently utilizing the solutions in the workarounds provided below, but we'd like to see this functionality built into Confluence.

Known Workarounds:
https://answers.atlassian.com/questions/102042/remove-forgot-paassword-link-in-confluence

https://confluence.atlassian.com/display/CONF41/Disabling+Password+management+from+User

relates to

CONFCLOUD-32692 Add a configuration setting that allows an Admin to disable the "Forgot Password?" functionality.

Gathering Interest

mentioned in: Page Failed to load

Form Name

Guy Anela added a comment - 29/Apr/2014 2:52 PM

Hi Sherif - I don't believe it really solves issue #2 I listed above and based on the number of Google results I came across while originally researching this, I'm guessing that there might be other legitimate reasons for wanting this feature added.

Anyhow, I'm not going to go back-and-forth on this. You guys make the ultimate decision so I'll leave it in your hands. I've already disabled the feature (manually) so it really doesn't affect us any longer... I just thought it might be nice to make it a little easier and more intuitive for others.

Cheers!

Guy Anela added a comment - 29/Apr/2014 2:52 PM Hi Sherif - I don't believe it really solves issue #2 I listed above and based on the number of Google results I came across while originally researching this, I'm guessing that there might be other legitimate reasons for wanting this feature added. Anyhow, I'm not going to go back-and-forth on this. You guys make the ultimate decision so I'll leave it in your hands. I've already disabled the feature (manually) so it really doesn't affect us any longer... I just thought it might be nice to make it a little easier and more intuitive for others. Cheers!

Sherif Mansour added a comment - 28/Apr/2014 11:26 PM

Thanks Guy, I just don't think we are going to implement another setting to disable this feature. It makes no sense if we solve the root of the problem.

Sherif Mansour added a comment - 28/Apr/2014 11:26 PM Thanks Guy, I just don't think we are going to implement another setting to disable this feature. It makes no sense if we solve the root of the problem.

Guy Anela added a comment - 28/Apr/2014 3:39 PM

Hi Sherif - I think that's a good "additional" feature, but I still think it would be nice to be able to easily disable the feature through the GUI.

Guy Anela added a comment - 28/Apr/2014 3:39 PM Hi Sherif - I think that's a good "additional" feature, but I still think it would be nice to be able to easily disable the feature through the GUI.

Sherif Mansour added a comment - 27/Apr/2014 11:56 PM

Thanks for the information, ganela.
I've spoken about this with one of our security specialists. And we're wondering if the bigger issue here is that the forgot password functionality shouldn't acknowledge if a username is correct or not - that sounds like the ideal solution to the problem, rather than adding another setting to an already crowed product full of settings.

Are you okay with that? If so I'd like to rename this issue.

Sherif Mansour added a comment - 27/Apr/2014 11:56 PM Thanks for the information, ganela . I've spoken about this with one of our security specialists. And we're wondering if the bigger issue here is that the forgot password functionality shouldn't acknowledge if a username is correct or not - that sounds like the ideal solution to the problem, rather than adding another setting to an already crowed product full of settings. Are you okay with that? If so I'd like to rename this issue.

Guy Anela added a comment - 24/Feb/2014 3:58 PM - edited

Hey Sherif - Obviously there are others out there that want to do this as well (See workaround links I provided in the description above), but here are a couple of reasons why we want to be able to do this...

1. To prevent potential hack attempts. Last week someone tried to hack our public facing Confluence site using the "Forgot Password?" functionality. This site only has a few users so we decided it'd be best if we simply disabled the "Forgot Password" functionality and managed the password resets manually.

2. To prevent attacks through email. It wouldn't be difficult for a malicious user to write a script that looped through the Forgot Password feature with a specific set of userids to send thousands of emails.

Guy Anela added a comment - 24/Feb/2014 3:58 PM - edited Hey Sherif - Obviously there are others out there that want to do this as well (See workaround links I provided in the description above), but here are a couple of reasons why we want to be able to do this... 1. To prevent potential hack attempts. Last week someone tried to hack our public facing Confluence site using the "Forgot Password?" functionality. This site only has a few users so we decided it'd be best if we simply disabled the "Forgot Password" functionality and managed the password resets manually. 2. To prevent attacks through email. It wouldn't be difficult for a malicious user to write a script that looped through the Forgot Password feature with a specific set of userids to send thousands of emails.

Sherif Mansour added a comment - 22/Feb/2014 11:25 PM

Thanks for the feedback, Guy. To be honest, I'm not clear as to why we would implement this. Could you shed some light into why you are trying to do this?

Sherif Mansour added a comment - 22/Feb/2014 11:25 PM Thanks for the feedback, Guy. To be honest, I'm not clear as to why we would implement this. Could you shed some light into why you are trying to do this?

Details

Description

Attachments

Issue Links

Forms

Activity

Collapse comment: Guy Anela added a comment - 29/Apr/2014 2:52 PM

Expand comment: Guy Anela added a comment - 29/Apr/2014 2:52 PM

Collapse comment: Sherif Mansour added a comment - 28/Apr/2014 11:26 PM

Expand comment: Sherif Mansour added a comment - 28/Apr/2014 11:26 PM

Collapse comment: Guy Anela added a comment - 28/Apr/2014 3:39 PM

Expand comment: Guy Anela added a comment - 28/Apr/2014 3:39 PM

Collapse comment: Sherif Mansour added a comment - 27/Apr/2014 11:56 PM

Expand comment: Sherif Mansour added a comment - 27/Apr/2014 11:56 PM

Collapse comment: Guy Anela added a comment - 24/Feb/2014 3:58 PM, Edited by Guy Anela - 24/Feb/2014 4:08 PM

Expand comment: Guy Anela added a comment - 24/Feb/2014 3:58 PM, Edited by Guy Anela - 24/Feb/2014 4:08 PM

Collapse comment: Sherif Mansour added a comment - 22/Feb/2014 11:25 PM

Expand comment: Sherif Mansour added a comment - 22/Feb/2014 11:25 PM

People

Dates