Re^4: It's Time for Everyone to Change Passwords!

If a password reset ability is provided to unauthenticated users (those who have forgotten their passwords can't authenticate) this function can be abused to interfere with legitimate access. Any unauthenticated user can request a password reset for any other user, as long as they know whatever is used to specify the account (typically a login ID or email address).

Who said anything about a reset? You have a form you can surf to, to say "Hey, I'm merlyn, I forgot my password". It emails you a link with a strong crypto key that when you visit that link, you're *logged in* to a password reset form.

Thus, any number of invocations of that page would not affect me if I was continuing to already know my password.

Most sites get this wrong. {sigh}

You'd think common password patterns would be already firmly tested and entrenched in every webdevs mind, after, say, a decade and a half of the web? I guess not.

-- Randal L. Schwartz, Perl hacker

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.

Comment on Re^4: It's Time for Everyone to Change Passwords!

Replies are listed 'Best First'.
Re^5: It's Time for Everyone to Change Passwords! by ig (Vicar) on Jul 30, 2009 at 05:01 UTC
Even better. Not so good if there is enough information in a single email to allow a successful "login" and takeover of the account but this risk could be mitigated by supporting encryption of the email. It would also be good if the link would no longer work once the password had been changed and after some time (a few days perhaps).	[reply]


We don't bite newbies here... much
	PerlMonks