TalkPHP - View Single Post

Salathe · 10-27-2007, 09:32 PM

Yes, that might be an inconvenience to the user whose password it is but you don't need to change the password immediately. Consider the following scenario:

Annoying person requests a new password (for an email which isn't theirs!). Or the person sends a genuine reset request. Do NOT change the password at this point.
Email gets sent to email saying "someone requested a password reset, if this wasn't you ignore this message". Either the user ignores the message, or they're genuine and click the link to a page which does reset their password (possibly with a token to authenticate the reset request).
Password gets reset and they enter a new, more memorable one.

10-27-2007, 09:32 PM	#4 (permalink)
Salathe Moderateur Join Date: Apr 2007 Posts: 1,393 Thanks: 5	Yes, that might be an inconvenience to the user whose password it is but you don't need to change the password immediately. Consider the following scenario: Annoying person requests a new password (for an email which isn't theirs!). Or the person sends a genuine reset request. Do NOT change the password at this point. Email gets sent to email saying "someone requested a password reset, if this wasn't you ignore this message". Either the user ignores the message, or they're genuine and click the link to a page which does reset their password (possibly with a token to authenticate the reset request). Password gets reset and they enter a new, more memorable one.