Securit:ee 1.3 Released Today
Today's release of Securit:ee 1.3 adds in some much needed improvements to ExpressionEngine sites. There's a complete reworking of the Forgot Password template tags, a new Change Password template tag, Safecracker support for the Encryption Fieldtype, and updates to the Security Scanner.
The default Forgot Password within ExpressionEngine has long been a source of disappointment to many security minded devs. By default, when a user forgot their password ExpressionEngine would reset their password to a random string and email the password to the user. This method is fraught with failure and just bad practices. Securit:ee 1.3 fixes this by adding in a new tag (exp:securitee:forgot_password) that doesn't change anything without further action. Instead, an expiring link (24 hours) is sent to the user that, when clicked, will send users to a form to change their password. The tag can use either inline or the default (gross) ExpressionEngine error messages.
There's also a new stand alone change password template tag (exp:securitee:change_password) which allows logged in users to update their password without having to enter in their username. If a user is not logged in then the tag requires there be a valid forgot password hash in the URL otherwise the user is free to change by just visiting the page. It uses the built in ExpressionEngine password rules for validation and inline error messages.
The Encryption Fieldtype also gets an update in that it is now fully Safecracker compatible for use outside the Control Panel. Now you can ensure data is not only consumable on the front site (as always) but also displayed using secure practices so your data remains a secret if needed.
The Security Scanner, to let you know suggested improvements to your ExpressionEngine site, has also been updated to remind to configure Securit:ee properly and also to recommend certain add-ons to install like the Devot:ee Monitor and VZ Bad Behavior.