So, I'm a dork and had to reset my password today. and i realized that when it resets the password, it e-mails it to you, and mine was just a bunch of numbers. Now... i'm no security guru, but is it a risk? could a hacker put your account into reset (if he knew your e-mail...) and then try and break in, since he knows all he has to do is throw numbers at it? not only that, but he could probably reason what kinda range the generator is in (i.e it will be more than 5 numbers). I guess the only thing that could stop him is if the account locks after x failed logins, but i remember, i think it was twitter, didn't implement anything like that, and i frankly didn't really check myself if it's like that here.
anyway, just a thought... figured it better i bring it up and be wrong, than not bring it up and be right too late.
To view responses click here: http://forums.developer.mindtouch.com/showthread.php?t=6295
Log in to post a comment.