[rt-users] Building Upon the Concept from AutogeneratedPasswo rd (fwd)

Steven Platt Steven.Platt at HPA.org.uk
Fri Feb 17 11:46:21 EST 2006

JD, Urivan & all,

<Urivan wrote: snip>
- User A logs into RT
- User A is really busy changing tickets
- User B requests a password change using User A's email

Will the system prompt User A in the next submit he makes?

I probably should've explained what we've done more clearly.

As it's not possible to recover an MD5 encrypted string we just overwrite
the old pwd with the new one. Both pwds conform to a standard format so what
happens is that both old & new pwds are the same. 
The system doesn't allow a user to specify their pwd, it's generated from
the e-mail address they give the reminder script (the potential problem
spotted by Urivan should never crop up). 
This is also the check...the address must be linked to an RT self service
account or else no reminder.

We've got a fairly low ticket turnover and a localised user base of only a
couple of hundred people, each with access to the e-mail accounts they use
to access RT, so more advanced authentication systems aren't really

Despite the small setup, it was a nightmare to manage our helpdesk before we
started with RT. Excellent system!

Health Protection Agency, UK

-----Original Message-----
From: doogles at doogles.com [mailto:doogles at doogles.com] 
Sent: Friday,17 February 2006 01:24
To: Steven Platt; rt-users at lists.fsck.com
Subject: RE: [rt-users] Building Upon the Concept from AutogeneratedPasswo
rd (fwd)


Hrm, is there any authentication to this?  I'm thinking something like the 
e-commerce folks use, email out a big long string that needs to be passed 
back to the server.  If you don't really have access to that email 
address, you can't change the password.  If you do, then you click the 
link and are given the option to reset your password.

What do you think?


The information contained in the EMail and any attachments is
confidential and intended solely and for the attention and use of the
named addressee(s). It may not be disclosed to any other person without
the express authority of the HPA, or the intended recipient, or both.
If you are not the intended recipient, you must not disclose, copy,
distribute or retain this message or any part of it. This footnote also
confirms that this EMail has been swept for computer viruses, but
please re-sweep any attachments before opening or saving.
HTTP://www.HPA.org.uk *************************************************

More information about the rt-users mailing list