cPanel® Blog

Password Reset for All

A key feature that has been requested by cPanel Server Administrators, cPanel Users, and End Users (Webmail, FTP, Web Disk) alike, has been the ability to reset passwords without the need for Administrator or Account Owner intervention. We have recently revamped the Password Reset process to enhance its capabilities and extend them to allow Subaccounts to reset their passwords via a self-service process. This means that Webmail, FTP, and Web Disk accounts that have been created using the User Manager, introduced in v54, or have a recovery/contact email, will be able to take advantage of this self-service capability.  I ask that you take a look at what we have to offer for Password Reset coming in v56.

User Experience Enhancements

  • The user desiring to reset their password must complete a “challenge” by entering the correct recovery/contact email which is on file with the account. The long dash is meant to indicate an unknown number of characters, so as to obscure the number of characters in the username.

PassReset-Challenge

  • Security Codes are delivered as a 10 digit numeric code, reducing complexity for users with international keyboards.
PassReset-Security
  • Rather than generating a new password upon completion, the user is able to set their own desired password.
PassReset-Reset

Security Considerations

While a self-service password reset process is a highly requested feature, the security of this application was a top priority for our project team. Here are a few measures which address some of the most common security concerns:

  • Upon entering a username which does not exist on the server, the process continues as if the entered username does exist. The “challenge” appears and presents a recovery/contact email which will prevent the end user from determining the existence or non-existence of the entered username.
  • Each page within the process is given a unique cookie to prevent a user from entering the password reset process out of sequence or from a device other than the one which initiated the reset process.
  • Flood Control has been extended to prevent a surge of attempts against a single username, blocking additional reset attempts being launched within a given time period.

Custom Themes

Partners that have cloned and customized the default cPanel Login Theme will need to update their themes in order to use or continue using the Password Reset feature.  The updates noted above required changes that may break with custom themes.  We recommend that these partners consider utilizing an Edge build of v56 to review and make any necessary changes. In the meantime, the Password Reset option can be disabled easily via a Tweak Setting in WHM.

Where Does This Take Us?

As you know, we are leading up to the launch of Sub-Users having the ability to login to cPanel.  The ability for these users to reset their own passwords has been a key part of the request and we are excited with the progress on this amazing feature.