Magento-lts: Customer cannot see password in email when it is set in backend

Created on 10 Sep 2020  路  11Comments  路  Source: OpenMage/magento-lts


When a customer is created in the backend, the password is not shown in the email password_new.html

Preconditions (*)

  1. OpenMage LTS 19.4.6, with commit 32d9d5
  2. 2.

Steps to reproduce (*)

  1. Backend > Customers > Manage Customers > click _Add New Customer_ to create a customer
  2. Before saving the customer, click checkbox _Send Auto-Generated Password_, then save the customer.

Expected result (*)

  1. The new passoword email has the password in plaintext for the customer to login.
    2.

Actual result (*)

  1. Customer cannot see the password generated by the system

Password: (the password you set when creating your account)
2.

bug

All 11 comments

Not a serious bug, as most stores would probably have a custom password_new.html template. But it needs a fix because it doesn't work out of the box.

Thats tricky, because its clearly a security issue to send the password in plaintext and should never be done.
But I dont have any alternative ideas here :/

Thats tricky, because its clearly a security issue to send the password in plaintext and should never be done.
But I dont have any alternative ideas here :/

Some CMS generate a hashed link, that die after some minutes or hours, where the users set their first password. It works like a "user exists" confirmation and a security enhancement.

i agree with @simbus82 - if you could make a forgotten password type link to set a new password, maybe that could be the solution. "Click here to set your password"-ish.

We have the same issue. When we create a phone order, you have to create the new customer, which gives them an account with autogenerated password.

We need a one time password. A new feature. Anyone up for it?

M2 has a feature which forces Admin users to change the password after a login, I think something similar would be also an option, or reusing the password forgot functionality(or trigger this one from the admin area)

Simplest would be to set a random or invalid password and then send a reset password link to the user.

I think reusing the forgot password link as suggested by @m-overlund and @Flyingmana and @colinmollenhour is the simplest. The link in email on forgot password, account_password_reset_confirmation.html, would land on this page:

image

So, basically need to edit messages in email password_new.html and landing page to fix this.

Obsolute interface in backend customer page:

image

The interface no longer valid because either options on the password would send the email password_new.html, the customer would not be able to see the password to login.

What do we do? Is there a use case for backend user to set password? How about the checkbox? The label should be changed, may be to _Send set password email to customer_. For creating new customer, should the checkbox be checked by default?

I can confirm there are b2b usecases, where admins need to be able to set a password for customers 馃檨

I agree @Flyingmana. I know many situations when Admins helped in changing the password in Backend interface because the customers were not able to reset it. I did it myself one time. In any cases Magento should not send a password by email. A phone conversation it is a better option.

I suggest in emails (if there isn't already) a notification to call in case a customer has issues to access his account.

Was this page helpful?
0 / 5 - 0 ratings