cPanel® Blog

Password Reset for All

A key feature that has been requested by cPanel Server Administrators, cPanel Users, and End Users (Webmail, FTP, Web Disk) alike, has been the ability to reset passwords without the need for Administrator or Account Owner intervention. We have recently revamped the Password Reset process to enhance its capabilities and extend them to allow Subaccounts to reset their passwords via a self-service process. This means that Webmail, FTP, and Web Disk accounts that have been created using the User Manager, introduced in v54, or have a recovery/contact email, will be able to take advantage of this self-service capability.  I ask that you take a look at what we have to offer for Password Reset coming in v56.

User Experience Enhancements

  • The user desiring to reset their password must complete a “challenge” by entering the correct recovery/contact email which is on file with the account. The long dash is meant to indicate an unknown number of characters, so as to obscure the number of characters in the username.

PassReset-Challenge

  • Security Codes are delivered as a 10 digit numeric code, reducing complexity for users with international keyboards.
PassReset-Security
  • Rather than generating a new password upon completion, the user is able to set their own desired password.
PassReset-Reset

Security Considerations

While a self-service password reset process is a highly requested feature, the security of this application was a top priority for our project team. Here are a few measures which address some of the most common security concerns:

  • Upon entering a username which does not exist on the server, the process continues as if the entered username does exist. The “challenge” appears and presents a recovery/contact email which will prevent the end user from determining the existence or non-existence of the entered username.
  • Each page within the process is given a unique cookie to prevent a user from entering the password reset process out of sequence or from a device other than the one which initiated the reset process.
  • Flood Control has been extended to prevent a surge of attempts against a single username, blocking additional reset attempts being launched within a given time period.

Custom Themes

Partners that have cloned and customized the default cPanel Login Theme will need to update their themes in order to use or continue using the Password Reset feature.  The updates noted above required changes that may break with custom themes.  We recommend that these partners consider utilizing an Edge build of v56 to review and make any necessary changes. In the meantime, the Password Reset option can be disabled easily via a Tweak Setting in WHM.

Where Does This Take Us?

As you know, we are leading up to the launch of Sub-Users having the ability to login to cPanel.  The ability for these users to reset their own passwords has been a key part of the request and we are excited with the progress on this amazing feature.

  • This is a good idea, this will save web hosts a lot of time, password resets are one of the most common requests and one of the most frustrating issues for users when they forget their password and get locked out. Now that users will be able to do it on their own will help with this.

  • Monarobase

    Are you sure showing first and last letter of the domain + the tld isn’t too much ? What if one of my e-mails is g@cp.nl ? will the abreaviated hint be g@cp.nl ? shouldn’t the hint be something more like g@c*.*l so that it hides letters even for short addresses ?

    • For short email addresses, we will only show a single character, but we will always show and “emdash” to disguise the fact that it could be only one character. We do not want to “give away” the length of the address accidentally. So in your case, it would be “g—@c—.nl”. We purposefully disguise the length of the address to help prevent guessing. The good thing, however, is that even if you guess the address you must have access to that email account in order to retrieve the security code in the next step.

    • cPanelbenny

      I just checked in with Chip, and he let me know that for short email addresses, we will only show a single character, but we will always show an “emdash” to disguise the fact that it could be only one character. We do not want to “give away” the length of the address accidentally. So in your case, it would be “g—@c—.nl”. We purposefully disguise the length of the address to help prevent guessing. The good thing, however, is that even if you guess the address you must have access to that email account in order to retrieve the security code in the next step.