Timeline for "Forgot Password" - How to handle this?
Current License: CC BY-SA 2.5
5 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Oct 28, 2010 at 17:15 | comment | added | Paweł Dyda | That's why I wrote about security question. | |
| Oct 28, 2010 at 15:57 | comment | added | Viper_Sb | @Pawel Dyda A reset link can also be sniffed, if your email is getting sniffed i think having a temp password in your email is the least of your worries. | |
| Oct 28, 2010 at 15:55 | comment | added | Paweł Dyda | Unless somebody is using secure way to connect to mail server (i.e. web mail via HTTPS or POP3 over TLS), such communication could be easily sniffed. In that case some "haX0r" could easily log into other user's account. That's why it is bad idea. Reset link should be sent as Chris suggests and accompanied security question should be asked before actually letting user to change his/her password. Still not 100% safe (as many times answers to such security questions could be easily guessed), but I can't see any better solution. | |
| Oct 28, 2010 at 15:52 | comment | added | Kate Gregory | I've done this in several sites. While you can argue that a mail snooper can get the password, they can also get whatever other temporary token etc you would email. This approach is simpler for the user (they can copy and paste or even type the temp password) and doesn't take a security hit. | |
| Oct 28, 2010 at 15:07 | history | answered | Viper_Sb | CC BY-SA 2.5 |