Password Changes


QBO 3 enables users to request password resets, and allows security administrators to issue a password reset on behalf of a user. A password reset uses email as a side channel to issue a one-time token to allow the user to choose their new password:
  • Login.ashx/ResetPassword?Person={Person} will issue a password reset email to the email associated with {Person}
  • Person.ashx/PasswordReset?ID={PersonID} will issue a password reset email to the email associated with {PersonID}
Note that QBO 3 intentionally does not allow administrators to choose a password for an end user, as this violated the OWASP best practices for forgotten passwords.

Forcing Password Changes

The security module has the ability to force the user to change their password at login. Update Person.ForcePasswordChange to true and the next time the user tries to login a section for changing their password will be rendered. The system validates the user against their old password prior to allowing the password to be changed.


There are certain pages that need to be accessed with anonymous security access. These pages are defined in SecurityWeb settings under LoginPublicMethods

<setting name="LoginPublicMethods" serializeAs="String">

The IPerson interface includes the new ForcePasswordChange. While making this change the interface was also extended to include LicenseAccepted and Lockout. Since Lockout and ForcePassword change are now part of IPerson their values can be directly accessed by looking at User.


IPerson user = (IPerson)Membership.GetUser(username);
if (user.ForcePasswordChange)
  context.Response.Write("{'success':false, 'forcepasswordchange':true}");

Login.ashx - ProcessRequest checks to see if the Operation being processed is a public method. If the operation is not public, it does a check to ensure we are authenticated prior to processing the request. New method for ForcePasswordChange was created here also.