More Secure, Convenient, and Efficient Password Reset

Daniel Gorges

The password-reset process is vastly improved in TYPO3 v10. It’s more secure, saves admin time, and supports brand consistency by sending password reset emails in your site-wide corporate design.

No need to bother the admin any more

In previous versions of TYPO3, every time a backend user forgot their password, they had to notify an administrator and ask them to reset it. They needed to send their username so the admin could then set a new password and send it to the user. It was then up to the user to choose a new secure password by logging in and changing it, but not all users remembered to do this.

TYPO3 core’s new out-of-the-box password reset process looks like this:

  • The user tries to log into the backend and realizes they’ve lost or forgotten their password.
  • They click “forgot password” then enter their email address.
  • An email is automatically sent, styled according to the site’s branding (thanks to another gem in TYPO3 v10—HTML system emails).

Alternatively, it is still possible for an admin to do the reset for a user. In this case, they don’t need to access either the existing or new password: as long as they have the username or email address, they can trigger a reset, sending the email for the user to follow up on as above. Or traditionalists can do it the old-fashioned way and reset the password in the backend, even though we advise against this.

It’s all in core, so no need to rely on extensions

While this process could be built into older TYPO3 versions using third-party extensions, they hooked into the login process, which is risky from a security standpoint. The emails were themed differently from the site itself, which could easily set a security-conscious user’s alarm bells ringing.

For me as a developer, having this workflow working out-of-the-box is a boon because I can deliver more polished, secure sites without installing and configuring any extensions. The extensions were never really satisfactory, either, in my opinion. Reducing my extension footprint by relying on core also reduces the amount of maintenance required in the future.

Reset and forget (or vice versa)

Another advantage of allowing users to reset their passwords independently is that they don’t need to feel embarrassed about disturbing the admin for the fifth time in a row as there’s no human contact involved anymore. Ideally, users should be using a password manager, so they can choose a password like, I don’t know… PhOcY2Lra05@xCqS&9 or even go crazy with n#OH@uZdrJzBxq@fT*al7Z1^5SEzj^VoTUbgJE%HjRYeOv!LKYUmd^4p0QA … safe in the knowledge they can easily reset if they forget, or are temporarily unable to access their password manager for whatever reason.

Go crazy:

TYPO3 v10 supports passwords up to 100 characters long!

Better for business, too

All in all, this approach to password resets is less complex for all users, easier, and more secure to maintain, while delivering a better user experience for everyone. Last but not least, businesses and agency owners will love the extra efficiency, saving staff time both during the straightforward reset process itself, and by minimizing editor downtime.

This is yet another great reason to upgrade to the latest version of TYPO3! If you need help estimating the work involved, understanding the benefits or an upgrade, or carrying it out, we’re here to help!

Tempted? Check out our 2nd Opinion and upgrade services!

Our Solution