To the best of my knowledge, Textpattern has never stored plaintext user passwords in its database, so we would likely miss out on a mention in PlainTextOffenders. But the system does send out registration and reset request passwords by email, which is ropey security practice because your email’s more than likely stored on someone else’s server.

When it comes to resetting forgotten passwords, no automated system is truly secure. There needs to be some time window to allow you to make such a change, but that leaves an open opportunity for someone wishing to gain unauthorised access to the system. So the trick is to:

Textpattern CMS 4.6.0 now does this, and more. Below are presented the various workflows as they happen now.

Adding an author: account activation

Instead of being sent the login name and (temporary, pseudo-random character) password via the welcome email, you are now sent your login name and a link comprising a loooooong sequence of random characters, called a token.

Provided your hosting environment is up to the task, this token is cryptographically secure and totally random, thus very difficult to guess or fake. If your host is cryptographically challenged, it’ll fall back on a similar underlying password generation scheme to the one we have in 4.5.x, though the password is longer, from a broader set of characters, hashed (passed through a one-way algorithm) and salted (random characters added) before being let out, so it’s still fairly secure.

When following the link, the new author is greeted with a login-style screen which prompts for a new password to be supplied. As each character is typed, a strength meter provides feedback on the estimated quality of the password. Everyone should be aiming for strong! There’s also a checkbox that allows the password to be temporarily unmasked for verification of what has been typed. This is a convenience to avoid having to enter the same password into two masked boxes, and in no way compromises the security of the stored password, which is always encrypted.

When the chosen password is submitted, Textpattern verifies the token is a) valid for the given author name, and b) within date, then sets the password and returns to the login prompt, sending an email to the new author in the process, with a link to the admin side.

By default, authors have a week to respond to activation requests, but this can be changed in your config.php by setting a number of hours in an ACTIVATION_EXPIRY_HOURS definition.

As an administrator, you may use the Admin->Users multi-edit tool to send another ‘welcome’ activation link in the event your author doesn’t respond in time.

Resetting a forgotten password

Just as in 4.5.x, supply your username and you will be sent a reset link. But this is a far stronger link than in prior versions of Textpattern for two reasons:

In versions prior to 4.6.0, your username was provided in the link as an easily reversible sequence of ASCII digits. Now, a single-use, unique, secure selector is generated to refer to your account and that is added to the link instead. This way, user ids and login names are never revealed.

Following the link will result in a ‘Set password’ box being shown, similar to the one that new authors see when setting a password for the first time (see above). You type a new password and have a strength meter and the ability to temporarily unmask the password for verifying what you typed.

Upon submission, the token is validated and your password is set. A confirmation email is sent out informing you that the password has changed, but the password itself is not mailed.

By default you have twenty ninety minutes to respond to a reset request before it expires. This can be altered in your config.php using something like this:

define('RESET_EXPIRY_MINUTES', '240');

Changing your own password from the admin side

Very little has changed here. The only differences are:

Passwords during setup

When first installing Textpattern, the MySQL password box is masked (with the ability to unmask), and likewise with the password box for your initial admin user. The latter also has a strength meter attached to it. No excuses for rubbish passwords any more!

Behind the scenes tech

For those with a curious mindset who don’t read code, here are some technical details on what’s going on backstage:

The new functionality will be landing in the master branch very soon, so please take it for a test drive and report your findings. We hope you and your clients enjoy the more security-conscious Textpattern experience.