By using this website, you agree to our Terms of Use (click here)
Beware of the Password Changed Email Template field on the Email Preferences (SM204001) screen. Many people don't even know that it's there which makes it even more dangerous.
For some strange reason, out-of-the-box, Acumatica is setup to send someone an email every time their password changes WITH THE PASSWORD IN THE EMAIL! Dumb? Well, I think so. But that's the way it is, at least as of Acumatica 2020 R2 (20.206.0011).
This is a problem any time that a user changes their password, but I want to discuss an entire scenario to make it more realistic.
Someone sets up an account for me using the Users (SM201010) screen and assigns the appropriate security permissions:
Rather than use an insecure password, they leave Generate Password checked in the previous screenshot which is smart. They also manually check Force User to Change Password on Next Login which is also smart. That way Acumatica will force me to create my own password when I login.
As soon as they click the Save button on the Users (SM201010) screen, my user is created and I get an email by default because by default the New User Welcome Email Template field is populated on the Email Preferences (SM204001) screen:
The dangerous part in the screenshot above is the Password Changed Email Template field, but more on that later.
Now, I receive an email that looks something like this, with the automatically generated password in the email:
I'm ok with this because, in theory, I'm going to login pretty quickly and, when I do, Acumatica is going to force me to change my password, making the password that was sent clear text via email obsolete.
When I login, Acumatica forces me to change my password before it will let me in which is good:
At this point, we're still ok because Acumatica was smart enough not to email me the new password that I just created.
But, let's say that, for whatever reason, I then go into the User Profile (SM203010) screen and click the CHANGE PASSWORD button. I create a new password for myself and press the Save button. Seconds later, I get an email with the password that I just entered:
What?!? I don't need an email with my new password. That's a big security hole. Anything sent in an email can be seen by snoopers on the internet.
My recommendation is to change this behavior by either:
1. Removing the value in the Password Changed Email Template field on the Email Preferences (SM204001) screen:
2. Or, pulling up the Password Change Notification in the Notification Templates (SM204003) screen, which looks like this:
And changing the email template to look something more like this:
Online Members
