Welcome to Geeklog Thursday, April 22 2021 @ 09:36 pm EDT

Geeklog Forums

Lost Password Security Suggestion


Status: offline

ronack

Forum User
Full Member
Registered: 27/05/03
Posts: 612
I saw a while back that there was an issue where a person or prankster could enter someones username and email and GL would automagically change their password. Thus that user would then be unable to log in, of course they would get the new password emailed to them. This would be an annoyance and if the prankster was especially malicious could cause all big time problems.

I have been on many a site where you are asked to provide a security word. (favorite pet, mothers maiden name, place born etc). Of course not fool proof but it does add a little protection for password request requiring 3 accurate items.
USERNAME, EMAIL, and SECURITY WORD.

Any chance this could be implemented in GL2?
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 12/01/02
Posts: 13073
Location:Stuttgart, Germany
In case you haven't noticed - the "forgot password" function was already changed in 1.3.8. It's still possible to "flood" someone with password change notification emails (provided you have some scripting capabilities - and there's also a speed limit to slow things down) but it won't change the password.

bye, Dirk
 Quote

All times are EDT. The time is now 09:36 pm.

  • Normal Topic
  • Sticky Topic
  • Locked Topic
  • New Post
  • Sticky Topic W/ New Post
  • Locked Topic W/ New Post
  •  View Anonymous Posts
  •  Able to post
  •  Filtered HTML Allowed
  •  Censored Content