Menu

#43 Disallow changing password by anybody

v2,_Trinity
open
nobody
Add to Existing Functionality (36)
6
2003-04-13
2003-03-09
George Brown
No

Problem description: Anybody can pretend that they lost
their password, and can request another. They only
have to know the user's login name. Imagine a poor
user, who have to change theilr email adress on a daily
base, just becouse a bad guy can force it daily.

Suggestion: A feature to disable regenerating forgotten
password based on username. (Allow this only if the
correct email address is given.)

Gain: medium security. If coupled with the other
request - admin can force to hide all email adresses -
would greatly enhance user's privacy and peace.

Regards,
george

Discussion

  • George Brown

    George Brown - 2003-03-09
    • priority: 5 --> 6
     

  • Unknown W. Brackets

    Unknown W. Brackets - 2003-03-09

    Logged In: YES
    user_id=633762

    IMHO, the secret question/answer should be required and be
    the only way of getting your password.

    -[Unknown]

     

  • George Brown

    George Brown - 2003-03-10

    Logged In: YES
    user_id=729832

    I have to disaggree. The secret question IMHO is no different
    than a password. It should not be trivial, and it can be
    forgotten.

    The only way to retrieve of a forgotten password should be
    email, and the email address should be hidden in yabbse
    anyway. (There is instant messaging available.)

    Regards,
    George

     

  • David Recordon

    David Recordon - 2003-04-13
    • milestone: --> v2,_Trinity
     

Log in to post a comment.