If I enable the function to allow resending the password, this will generate a new password for the user and send it to him/her by email.
This poses security issues:
- anyone can request to change any user's password. All you need to know is the user name (often easy to guess).
- the password is sent in the same email as the login !
We need a feature that will only send a link by email to display a password reset form.
This link should expire (and the password will remain unchanged) after a few minutes.
Thus, only the recipient of the email, i.e. the account address email, will be able to change the password.
I hope you will find this demand essential in terms of security, to put on your development roadmap.
Thank you for your feedback.