Revolving around the core of technology
I think passwords should be stored in an irrecoverable format. I should not be able to request my password via a password reset link. The most I ought to be able to do is request a password reset e-mail.
Is it possible to implement password hashing (ideally with a salt) in line with best practices?
I already know I can turn off the password reset link, but I would like to have a way to ensure that password are stored in an irrecoverable format (even if I have to enable it).
We have implemented two suggestions you made earlier:
These features will be part of version 4.5. Let us know via email (email@example.com) if you're interested in trying out this version before it is publicly released.
Thanks for this update!
In the config file (or via web interface) how do I enable the password recovery? Do I simply remove the "allowUsersToRetrieveLostPwd" line, which I have disabled now or do I set the value to true? Perhaps change the type? Is there anywhere besides the forum I cna look to answer this one?