|
From: | Victor Engmark |
Subject: | Re: Hide email validation in "Lost password" page? -- Security bug |
Date: | Wed, 18 Apr 2007 17:17:39 +0200 |
Obviously I agree as well...
What about an additional step to check also the user ID?
I mean:
1. Generate a (random?) user ID for all the already registered users
(the same during registration).
2. Send the user ID by email.
When the user asks for the password reminder he must provide both
email and user ID.
This is to avoid brute force attack, i.e. the user johnHerds with
email address@hidden
The drawback is that we need also a user ID reminder.... But it's quite secure.
[Prev in Thread] | Current Thread | [Next in Thread] |