The forgot password routine needs to be enhanced.
Two new data items need to be added to the user
profile; Secret Question, Secret Answer.
When the user types in their user name, the routine
should look up their secret question and answer. They
should be then challenged with the secret question and
if they answer wrong then the Admin could be notified
by email. If they answer correct then they get the
standard email that already exists.
The reason for this change is that a person wishing to
reset another users password can do it easily by
requesting a new password without any authentication.
Log in to post a comment.