send password reset token in password recovery email

Hello,
I've searched high and low, and didn't see an existing solution (sorry if I've missed it).

The password reset email sends both the username and password, which is a huge no-no from security perspective.
Is there a way to send a password reset token/link (similar to Joomla's native password reset) instead?

This is a question of not only security, but also usability. The machine-generated password is of no value to the users as the vast majority of them will want to reset it to something different than the machine-generated one. So why not simply take them to the password reset page right away rather than forcing them to log in, then actually look where they can change their password.

Any way to achieve this please?

Thanks a ton

The password reset email sends both the username and password, which is a huge no-no from security perspective.

We're aware, but it requires a rewrite of forgot login so it has not been done yet. The password sent is randomly generated however so there's no issues regarding plaintext storage at the very least. The user is expected to change their password.

Is there a way to send a password reset token/link (similar to Joomla's native password reset) instead?

No, not until we've redesigned the forgot login behavior.

Thanks, @krileon, is there a timing on this change? Best

I do not have a time frame for the forgot login redesign.

Thanks again, @krileon. One last post on this topic please.

Any hint you can give me on which file I could change the reroute from Joomla's native Password reset and Username reminder pages to /cb-forgot-login? I realize CB cannot recommend or endorse this, and that I am on my own if I make these changes. I'm a decently experienced Joomla user so I'm comfy with making these changes every time I upgrade CB.

Thanks a bunch!

You can disable the rerouting entirely within our system plugin in Extensions > Plugins.