11 thoughts on “Hacking WordPress Login and Password Reset Processes For My University Environment

  1. Interesting stuff.

    I’m curious how the SMS password reset works, just from a high-level user interaction view. When they choose to reset their password, and the system is using the SMS method… what does it send them via SMS, and how do they use this to reset their password? Or does it just send them a temporary password?

    • @Jonathan Rochkind:

      I’d meant to add some screenshots to the post before publishing it. I’ve finally added them, and you’ll see that the process is pretty much the same as you’re probably familiar with when receiving password reset codes by email. The text message includes a short code and a phone number to our help desk. The code is entered in the web form and the user is allowed to enter their own password immediately.

  2. Neat!

    But I’m confused cause I thought you said your university policy didn’t allow sending passwords over email?

    But, okay, it does allow sending use-once temporary passwords? Or it allows it over SMS but not email?

    • @Jonathan Rochkind:

      It wouldn’t be entirely unfair to accuse me of splitting hairs when I insist that the reset code isn’t a password, but here’s the story:

      The code itself can’t be used to log in to any systems, only to set a new password. (We worked hard starting ten years ago or more to get everything across campus using either CAS or authenticating against LDAP/AD.)
      Requesting a reset code doesn’t reset the user’s password (so it can’t be used to DOS a prof just before class).
      It’s time limited and single-use.

  3. Also, I’m curious where you get user’s cell phone numbers from! Are users entering them into your custom library systems, or are you getting them from a central university enterprise identity service of some kind?

  4. Pingback: » My WordCamp NYC Talks MaisonBisson.com

  5. Pingback: Hacking WordPress MU to power a school-wide content portal | Rodeworks Tech

Comments are closed.