Password reminding: annoying bug

Started by dukeofgaming, June 18, 2006, 01:26:39 AM

Previous topic - Next topic

dukeofgaming

SMF Version: SMF 1.1 RC2
Well Im not sure about if its wether the password reminder is from Joomla or SMF (im using Orstio's bridge and the bridge registration), but when one wants to change his/her password and then go and input the username and email, the password is automatically changed... I think this is not convenient cus anyone could change your pwd if they know your username and email...

Where can I change this?... I wouldn't like someone to reset my pwd lolol

gamesmad

Its not a security issue, maybe you could change the title of your post.  You cant turn it off, and actually, I didnt think it did change it automaticly.  I thought it sent you a link to click where you could set a new password.  I may be wrong, Ive never forgotten my password.

Will
1 on 1 SMF Help - Want 1 on 1 SMF Help? Post in Help Wanted or drop me a message!

Go Charter! - Please consider becoming a charter member to support SMF development.

Please do not PM me with general questions, posting in the appropriate board will ensure everyone benefits from the advice given.

H

* Title updated and topic moved *

A dev will look into this ;)
-H
Former Support Team Lead
                              I recommend:
Namecheap (domains)
Fastmail (e-mail)
Linode (VPS)
                             

Orstio

Quote...but when one wants to change his/her password and then go and input the username and email, the password is automatically changed...

1) Why would you use the "Forgot Password" link to change your password?  Password changes should be done in your profile.

2) The whole purpose of the "Forgot Password" system is so that when you type in your username and email, it will email you a new password.  The username and email must both match the same user, so it will not email a password to the wrong user. 

What other method of dealing with a user who has forgotten his/her password would you suggest?

dukeofgaming

What I mean is... well, suppose I'm an evil user, and I know another's username and pwd, so I pretend to be him/her and I go to "remind my pwd"... then the innocent enters and notices he cannot enter with his pwd, and checks his mail and sees that he has a new automated pwd... so he has to change it back... then I (evil user) do it again and again and again... till the innocent user collapses.

Dunno if this really happens, but it can happen...

I'd suggest that SMF, instead of creating a random pwd, mailed a confirmation link (like when you register) redirecting to a "New pwd" form.

What do u think?

Dannii

You can't be reminded of your password, because the hashing works only in one direction. There's simply no way to get your password back.
"Never imagine yourself not to be otherwise than what it might appear to others that what you were or might have been was not otherwise than what you had been would have appeared to them to be otherwise."

dukeofgaming

Sorry, I meant "forgot pwd" option, not "remind pwd"

Advertisement: