For those of you interested in adding a little extra security to your Magento’s admin “Forgot your password?” feature, you might find this module useful. The thing about current Magento (184.108.40.206) “Forgot your password?” feature is that it immediately resets your password and sends it to you in an email. Unlike many other systems, Magento won’t send you a “Password change confirmation” email first with some randomly generated key/url which you need to visit in order to actually change your password. It will reset you password immediately.
Although useful this can soon turn into stressful behaviour if you got someone trying to mess with you. Where that someone, just by knowing your email can initiate password reset each time he wishes just by visiting http://magento-demo.ajzele.net/index.php/admin/index/forgotpassword/ url and writing down your email address.
To pass by this, I wrote a little Magento extension that sends you a sort of “Forgotten password confirmation email” before changing the password.
Extension works on the principl of event observer. It does not override any of the existing controllers or actions. It simply fires on “controller_action_predispatch” event for “Mage_Adminhtml” as a controller module and “forgotpassword” as a action name.
Feel free to modify it and adjust to suite your needs.
Download Ajzele_Admin2.tar.gz extension for Magento (tested/coded on Magento 220.127.116.11).
Hope it helps someone. Cheers.