when a user go to forgot password page and enter his email, script will change his password and send to user's email.
it's a bad scenario because other users can enter enter my email address and my password will be changed without i want to do it.
i suggest that, script send a validation link to user's email,then if user click on this link, redirect to a new page and can define new password.
forgot password security
-
- User
- Posts: 293
forgot password security
-
- User
- Posts: 416
- Location: Nürnberg/Germany
At the moment, users receive two emails. First email is the verfication, second email the new password.
If you use a Tablet/Smartphone for reading emails, it is not very comfortable to copy & paste the 16-character long new password. And after that, you have to set although a new password.
I suggest the following:
Sending a second Email with a random password is not necessary. After clicking the url in the verification-email, redirecet directly to a form where users can set the new password.
In short, my suggestion is the following:
- Send an email with an activation link
- After klicking the link, redirect to a form for the new password
Ready...