View Single Post
10-27-2007, 09:32 PM
Join Date: Apr 2007
Yes, that might be an inconvenience to the user whose password it is but you don't need to change the password immediately. Consider the following scenario:
Annoying person requests a new password (for an email which isn't theirs!). Or the person sends a genuine reset request.
Do NOT change the password at this point.
Email gets sent to email saying "someone requested a password reset, if this wasn't you ignore this message". Either the user ignores the message, or they're genuine and click the link to a page which
reset their password (possibly with a token to authenticate the reset request).
Password gets reset and they enter a new, more memorable one.
View Public Profile
Send a private message to Salathe
Visit Salathe's homepage!
Find More Posts by Salathe