Vincent Panel wrote:
Thanks, but as discussed, even creating a user able to reset all the userPassword attributes of all other users is not security risk free. This is what I call a privileged user and I would like to avoid it.
You can't avoid it if the reset service has to run automagically.
Drupal already supports such a solution, but I don't find it secure enough.
Then you have to add some human admin interaction.
I had an interesting suggestion on the list : to create a database of temporary security objects where drupal is the only one who knows the passwords. Each temporary security object is able to reset one password in the main database (by the use of regex ACLs) and only once.
Yes, but these "temporary security objects" have to be generated. If you do this automagically you have a privileged service account which resets the user's password in combination with a e-mail based challenge-response check. I don't think it's a big security issue though. IMO if you suspect your password reset web component being compromised you should worry about much more in the whole system.
Ciao, Michael.