Skip to main content

This content has been archived and is no longer being updated. Links may not function; however, this content may be relevant to outdated versions of the product.

Support Article

Password reset form sends password in plaintext in the URL



When a user resets their password, the new password is send in plaintext in the URL of the GET request.

Error Messages

Not Applicable

Steps to Reproduce

Reset your password using the link in the profile of the user portal.

Root Cause

A defect in Pegasystems’ code or rules. An old version of the password reset dialog is used which uses GET instead of POST.


Perform the following local-change:

1) Save the rule @baseclass.Desktop-Operator-Profile-Full into the application ruleset.
2) Copy the HTML Source from the rule @baseclass.Operator-Profile-Full into the HTML Source field of the Desktop-Operator-Profile-Full rule, save into the ruleset.
3) Save or check in Desktop-Operator-Profile-Full.

This will use a new version of the dialog that uses POST.  Logged in user must log out before they see the changes.


Published January 20, 2017 - Updated October 8, 2020

Was this useful?

0% found this useful

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best.

Pega Community has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice
Contact us