We want to inquire about the possibility of resetting an End-User's password through the system without requiring email verification.
Our business requires us to update End-Users' passwords automatically (triggered by a specific event) and then send the new password via End-User's email. Can this action be performed without email verification?
Even if it is possible, then you need to share the password, and that you should never do.
Using the ODC User Management API there is no feature to change the password, and OutSystems already confirmed they will not provide it because it is a security risk, that allows developers to impersonate another user.
However if you use an external identify provider with ODC, that provider might have an API method that allows you to change the password. For example in Microsoft Entra you can do this with the GraphAPI. See However, using https://learn.microsoft.com/en-us/graph/api/user-changepassword?view=graph-rest-1.0
Hi,
Sending passwords via email is a very bad idea!
You should never share new passwords via email because email is one of the weakest and most insecure communication channels.
Key reasons:
Email is not encrypted end-to-end by default Passwords can be intercepted while in transit or when stored on mail servers. If the user’s or your email account is compromised, the password is immediately exposed.
Stored in plain text in multiple places Emails often remain in inboxes, sent folders, and backups indefinitely. Anyone with later access to those mailboxes can retrieve the password.
Increased attack surface Attackers commonly target email accounts through phishing or credential stuffing. If a password is shared via email, it becomes a valuable target.
Violates security best practices Standards like ISO 27001, NIST, and GDPR-related security guidelines advise against sending credentials over email. It weakens compliance posture.
No control or audit Once an email is sent, you cannot revoke or track who accessed it. If it lands in the wrong inbox, there’s no way to recall it.
Email is fine for sending a reset link, never for sending the actual password.
Regards,
Daniel
Hi Daniel,
Thank you for your response and valuable input.
Actually, the example we shared was only for illustration purposes. What we would like to ask is: would it be possible to change an end user’s password directly (programmatically) without requiring email verification, and have this process run via a scheduler if needed?