forgot password security

Post Reply
ghasembaghi
User
Posts: 293

forgot password security

Post by ghasembaghi »

when a user go to forgot password page and enter his email, script will change his password and send to user's email.
it's a bad scenario because other users can enter enter my email address and my password will be changed without i want to do it.
i suggest that, script send a validation link to user's email,then if user click on this link, redirect to a new page and can define new password.


digitalphotoworld
User
Posts: 416
Location: Nürnberg/Germany

Post by digitalphotoworld »

At the moment, users receive two emails. First email is the verfication, second email the new password.
If you use a Tablet/Smartphone for reading emails, it is not very comfortable to copy & paste the 16-character long new password. And after that, you have to set although a new password.

I suggest the following:

Sending a second Email with a random password is not necessary. After clicking the url in the verification-email, redirecet directly to a form where users can set the new password.

In short, my suggestion is the following:

  1. Send an email with an activation link
  2. After klicking the link, redirect to a form for the new password

Ready...


Webmaster
User
Posts: 9425

Post by Webmaster »

Implemented in v12.


Post Reply