Couldn't log in, now an idiotic phrase? WTF is that?

Sponsi

Hi,

I was using the script (newest version, of course) normally. And the second user tells me she can't access the admin panel.
OK, so I go, change the password... the site logs out automatically.
I try the new password for the second user - no luck. Wrong password (WTF?).

What is more, I try with the main admin account - WRONG PASSWORD?
How come?

Password reminder - some idiotic Woodchuck rhyme for children.
What is the answer for the rhyme? I haven't heard ANY answer for this rhyme. WTF?
Look at possible answers: http://wiki.answers.com/Q/How_much_wood_would_a_woodchuck_chuck_if_a_woodchuck_could_chuck_wood

And the question doesn't refresh into some other... so it's not really a problem for bots. WTF?

Is it something you implemented at some point? WTF?

Guys, you are making the script more and more pain in the ass...

acrylian

If you want our voluntary help please mind your words.

Zenphoto has two ways to reset the password if forgotten. First, a challenge response way (introduced with 1.4.2). What you see is the standard phrase set by default. You can set your own and of course your response on your user account. Second the old way, you can request a password reset via mail. That requires of course that you set an email address on your user account.

If all that does not help because your provider maybe changed something on the database or its encoding, you can use the third way by deleting the administrator table in the database directly. The complete procedure is found on the troubleshooting.

Sponsi

You aren't afraid of words of criticism, are you?

So what's the correct answer for the riddle?

Oh... I should've chosen at some point the e-mail option. OK, I believe such complexity is a must...

acrylian

We welcome any critism. It is more how than what.

When you setup your user account, you should have filled in the details. I just looked and in 1.4.2.4 there is not even a default riddle. So if you didn't fill it in there is no correct response. And if you have no email set, you have to delete the administrators table in the database and re-upload and re-run the setup script.

Maybe we should make all fields required with 1.4.3. I will suggest that to the team.

sbillard

There is no correct answere to the riddle nor should there be. If you want a simple solution you can use simple easy to guess passwords. If you want security, such complexity is inevitable.

We will not make the fields required. Some people will not wish to use them.

Michel Gagnon

Could I suggest that you make the email a required field for the administrator? That way, there is at least one person in the group that is able to access all user data.

sbillard

"The Administrator? Now who would that be? We have only the concept of users with admin rights. And a user without admin rights will aquire it if" promoted" when other administrators have been deleted. So, when does the field become required. And what if the site does not support e-mail?

No, it is the responsibility of the user to provide a basis for password reset. You cannot legislate common sense.

acrylian

Maybe we should just show a message on user account creation that either email or challenge response should be setup for a possible password reset?

fdnyfish

Make it a required field during setup

sbillard

????

Setup does not have anything to do with the admin user tab.

acrylian

He probaly meant when setting up a (first) admin user so there is always a way to reset you cannot forget to setup.