logo
Welcome to our new AbleCommerce forums. As a guest, you may view the information here. To post to this forum, you must have a registered account with us, either as a new user evaluating AbleCommerce or an existing user of the application. For all questions related to the older version of Gold and earlier, please go to AbleCommerce Gold forum. Please use your AbleCommerce username and password to Login. New Registrations are disabled.

Notification

Icon
Error

Options
Go to last post Go to first unread
judy at Web2Market  
#1 Posted : Thursday, March 21, 2024 7:46:57 AM(UTC)
judy at Web2Market

Rank: Advanced Member

Groups: Developers
Joined: 11/7/2018(UTC)
Posts: 289

Thanks: 21 times
Was thanked: 5 time(s) in 5 post(s)
I know that customers will need to reset their passwords after the site is upgraded, but will they be able log in with the old password the first time and then be prompted to reset or will they have to request a lost password email? We have a client who is upset about it, partly because of issues with lost passwords emails going to spam, not being delivered, etc.

Wanna join the discussion?! Login to your AbleCommerce Forums forum account. New Registrations are disabled.

Katie S  
#2 Posted : Thursday, March 21, 2024 3:51:07 PM(UTC)
Katie S

Rank: Advanced Member

Groups: System, Administrators, Developers, Registered, HelpDesk
Joined: 10/29/2018(UTC)
Posts: 423

Thanks: 4 times
Was thanked: 34 time(s) in 33 post(s)
Hi Judy,

They will be able to login with the old password and prompted to reset.

Thanks for your support!

Katie
Secure eCommerce Software and Hosting
charles25686713  
#3 Posted : Tuesday, March 26, 2024 3:46:51 PM(UTC)
charles25686713

Rank: Advanced Member

Groups: Authorized User, Developers
Joined: 7/1/2022(UTC)
Posts: 64

Thanks: 5 times
Was thanked: 1 time(s) in 1 post(s)
Originally Posted by: judy at Web2Market Go to Quoted Post
I know that customers will need to reset their passwords after the site is upgraded, but will they be able log in with the old password the first time and then be prompted to reset or will they have to request a lost password email? We have a client who is upset about it, partly because of issues with lost passwords emails going to spam, not being delivered, etc.


You don't have to force a password reset across the board.

With the right SQL, you can undo the password reset flag on all users post upgrade.

That's what I did. Forcing all out users to change password was a definitive NO GO for us.

judy at Web2Market  
#4 Posted : Wednesday, March 27, 2024 7:54:43 AM(UTC)
judy at Web2Market

Rank: Advanced Member

Groups: Developers
Joined: 11/7/2018(UTC)
Posts: 289

Thanks: 21 times
Was thanked: 5 time(s) in 5 post(s)
I thought about that, but hesitated since there seemed to be a security reason for the change.
charles25686713  
#5 Posted : Wednesday, March 27, 2024 9:01:42 AM(UTC)
charles25686713

Rank: Advanced Member

Groups: Authorized User, Developers
Joined: 7/1/2022(UTC)
Posts: 64

Thanks: 5 times
Was thanked: 1 time(s) in 1 post(s)
Originally Posted by: judy at Web2Market Go to Quoted Post
I thought about that, but hesitated since there seemed to be a security reason for the change.


Indeed. They switched from one hashing algorithm to another.

However, I disagree with their approach. They could have done it in a much more user friendly manner.

When a user logs in with an account that has the password stored in the old hash, they simply rehash it in the new hash and store it.

Forcing everyone to change it does not increase security one iota over the above more user friendly approach.

Obviously, it's your, or your customer's, choice.

For my company, it was completely unfathomable and unreasonable to force everyone to change their password.

Katie S  
#6 Posted : Wednesday, March 27, 2024 2:06:40 PM(UTC)
Katie S

Rank: Advanced Member

Groups: System, Administrators, Developers, Registered, HelpDesk
Joined: 10/29/2018(UTC)
Posts: 423

Thanks: 4 times
Was thanked: 34 time(s) in 33 post(s)
Quote:
However, I disagree with their approach. They could have done it in a much more user friendly manner.

Quote:
For my company, it was completely unfathomable and unreasonable to force everyone to change their password.


I'm very sorry that our approach to updating the password after upgrade upset you, and perhaps others. As far as I know, this is the first complaint since we implemented the change. One of the lead developers made the suggestion and we went with it because it was relatively simple to implement. We had to make the change for PCI compliance. However, the approach to upgrading a customer's password may have not been the best.

Thank you for your feedback.
Thanks for your support!

Katie
Secure eCommerce Software and Hosting
Users browsing this topic
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.