Problem description: Anybody can pretend that they lost
their password, and can request another. They only
have to know the user's login name. Imagine a poor
user, who have to change theilr email adress on a daily
base, just becouse a bad guy can force it daily.
Suggestion: A feature to disable regenerating forgotten
password based on username. (Allow this only if the
correct email address is given.)
Gain: medium security. If coupled with the other
request - admin can force to hide all email adresses -
would greatly enhance user's privacy and peace.
Regards,
george
Logged In: YES
user_id=633762
IMHO, the secret question/answer should be required and be
the only way of getting your password.
-[Unknown]
Logged In: YES
user_id=729832
I have to disaggree. The secret question IMHO is no different
than a password. It should not be trivial, and it can be
forgotten.
The only way to retrieve of a forgotten password should be
email, and the email address should be hidden in yabbse
anyway. (There is instant messaging available.)
Regards,
George