Team Password Manager allows local users to reset their password if they have forgotten it. This document explains:
How password reset works
Password reset is only available for local users. LDAP and SAML users should use their LDAP/SAML system to do a password reset.
If a Team Password Manager user has forgotten the password to log into Team Password Manager, she can initiate the password reset by clicking on the "Forgot your password?" link in the Sign In screen:
This will take the user to a screen where she can enter her email address:
When she submits the email address she will receive an email message with a password reset URL. When clicking on this URL, the password reset screen will be opened, thus allowing the user to change her password:
Note that for this process to work correctly, Team Password Manager must be able to send email. Check the following document to learn how to do it: Email configuration in Team Password Manager
Disabling password reset
Since version 7.109.212, the password reset feature can be disabled. When you disable it, the "Forgot your password?" link on the Sign In screen will not be shown and users will not be able to reset their password.
To disable the password reset feature, go to "Settings" in the top menu, then select the "Password reset" option on the sidebar, click on the "Disable Password Reset" button and confirm. You can always re-enable password reset if you need to by using the same setting.
There are basically two reasons why you would want to disable password reset:
- Security: the password reset feature sends and email message with a password reset link. There's the possibility of a malicious party intercepting this message and resetting the password. Properly setting up email and using secure access to email protects against this interception, but the ultimate protection is disabling password reset completely.
- Convenience: if all or most of your users are LDAP or SAML users, not showing the "Forgot your password?" link on the Sign In screen will not confuse them on where they need to go to reset their password.
Protection against password reset poisoning
Password reset poisoning is a technique by which an attacker manipulates the password reset link to point to a site under his control. This is done by manipulating the Host header when the reset link is generated. Since version 10.135.236 Team Password Manager has a protection against this by allowing you to define the "password reset URL", which is basically the URL of your Team Password Manager installation before index.php. This way, if an attacker manipulates the Host header, the password reset link will be the same as the one you defined.
To define the "password reset URL", go to "Settings" in the top menu, then select the "Password reset" option on the sidebar, click on the "Edit password reset URL" button, enter the URL in the "Password reset URL" field and save:
The suggested value should be correct in most cases. It should be the URL you see in your browser for your Team Password Manager installation (the part before index.php), so you simply need to copy it to the "Password reset URL" field.
If you want to learn more about password reset poisoning, the following article by Acunetix explains it in detail: Password Reset Vulnerability (Poisoning).
Document changelog
| Nov 29, 2021: | Document created |
