Posted on: 10/13/03 05:21pm
By: ronack
I saw a while back that there was an issue where a person or prankster could enter someones username and email and GL would automagically change their password. Thus that user would then be unable to log in, of course they would get the new password emailed to them. This would be an annoyance and if the prankster was especially malicious could cause all big time problems.
I have been on many a site where you are asked to provide a security word. (favorite pet, mothers maiden name, place born etc). Of course not fool proof but it does add a little protection for password request requiring 3 accurate items.
USERNAME, EMAIL, and SECURITY WORD.
Any chance this could be implemented in GL2?
Re:Lost Password Security Suggestion
Posted on: 10/14/03 02:02am
By: Dirk
In case you haven't noticed - the "forgot password" function was already changed in 1.3.8. It's still possible to "flood" someone with password change notification emails (provided you have some scripting capabilities - and there's also a speed limit to slow things down) but it won't change the password.
bye, Dirk