Adding extra security to the Magento’s admin “Forgot your password?”

Featured Image

For those of you interested in adding a little extra security to your Magento’s admin “Forgot your password?” feature, you might find this module useful. The thing about current Magento ( “Forgot your password?” feature is that it immediately resets your password and sends it to you in an email. Unlike many other systems, Magento won’t send you a “Password change confirmation” email first with some randomly generated key/url which you need to visit in order to actually change your password. It will reset you password immediately.

Although useful this can soon turn into stressful behaviour if you got someone trying to mess with you. Where that someone, just by knowing your email can initiate password reset each time he wishes just by visiting url and writing down your email address.

To pass by this, I wrote a little Magento extension that sends you a sort of “Forgotten password confirmation email” before changing the password.

Extension works on the principl of event observer. It does not override any of the existing controllers or actions. It simply fires on “controller_action_predispatch” event for “Mage_Adminhtml” as a controller module and “forgotpassword” as a action name.

Feel free to modify it and adjust to suite your needs.

Download Ajzele_Admin2.tar.gz extension for Magento (tested/coded on Magento

Hope it helps someone. Cheers.


  1. Could you please help me in resetting the password. I am little confused in the below code:

    $username = ‘admin’;
    $password = ‘xxxxxxx’;

    $user = Mage::getModel(‘admin/user’)
    ->load($username, ‘username’);
    if (!$user->getId()) {
    throw new Exception(‘Failed to find ‘ . $username);

    Or could you please suggest a new code for me.

  2. Hi,
    My task is to create an attribute in system -> Configuration ->catalog.That should be a multi select box.Those values we set in configuration that value and field should display in catalog admin panel along with multi select box.

    Please help me regarding this problem.

  3. what am i missing,

    ive downloaded the tar.gz folder, unzipped and uploaded to my server, what now, what do i need to change to activate this extension ??

    sorry if im missing something really dumb.


  4. Branko, I found a bug in your module in Ajzele_Admin2_Model_Observer::genRandomString.

    The wrong:

    $string .= $characters[mt_rand(0, strlen($characters))];

    The correct:

    $string .= $characters[mt_rand(0, strlen($characters)-1)];

    $characters index start in 0 and max = 35, not 36 (strlen).
    When mt_rand generate 36 made a notice:
    Notice: Uninitialized string offset: 36


    Reggards from Brazil!

  5. @EL (that you ???)

    And why is that not good? Its not like anyone would turn off the “Admin” module, and even if it does, it should not break anything as I am observing general “controller_action_predispatch” event. Plus, I think that lines 22/23 of modules Observer.php speak for them selfs.

  6. @David

    Well, now that you mentioned it. I’ll see if I catch some free time across this weekend. Basically I think the same approach can be applied. Thanks for the feedback.

  7. Fantastically useful module. Thanks for this Branko. Are there any plans to extend this to the frontend as well?

  8. Hey, this may not be the most appropriate place to ask, but your personal sites are down. Just wondering what happened to and Maybe talk to the inchoo guys and see if they’ll let you make a post updating us about it? I’ve been following your sites since before you joined inchoo. I remember when you were still learning how to use an IDE and posting about Zend Framework. Keep us updated man.

    Kind regards!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <blockquote cite=""> <code> <del datetime=""> <em> <s> <strike> <strong>. You may use following syntax for source code: <pre><code>$current = "Inchoo";</code></pre>.