Password Reset Bug. - Printable Version
-Shoutbox (https://shoutbox.menthix.net)
+-- Forum: MsgHelp Archive (/forumdisplay.php?fid=58)
+--- Forum: General (/forumdisplay.php?fid=11)
+---- Forum: Forum & Website (/forumdisplay.php?fid=13)
+----- Thread: Password Reset Bug. (/showthread.php?tid=92992)
Password Reset Bug. by Nathan on 11-23-2009 at 12:49 PM
I wanted to reset my Nathan account, because I forgot my p/w. So I used the forgotten password tool. But it sent me emails about account ghostie and spammer. I don't remember making these account, but I could of. Either way it should not reset password (or send the link) for all 3 accounts, right WDZ?
RE: Password Reset Bug. by matty on 11-23-2009 at 02:32 PM
Its a crappy system and sends emails to all accounts registered under that email.
RE: Password Reset Bug. by WDZ on 11-23-2009 at 03:52 PM
quote:Because it doesn't know which account you forgot the password for.
Originally posted by matty
Its a crappy system and sends emails to all accounts registered under that email.
If the form only asked for a username, someone could send me a password reset email without even knowing the address I registered with, which is kinda dodgy. And if it came up with a list of usernames associated with an email address, that would be a privacy issue because there's currently no other way to search for members by email address.
RE: Password Reset Bug. by blessedguy on 11-23-2009 at 04:22 PM
It wouldn't be bad to have a custom security question plus username 
RE: Password Reset Bug. by Mnjul on 11-23-2009 at 04:59 PM
Why not asking for both username and e-mail address, and only send the reset e-mail only when the input e-mail address matches that in the database for the username?
RE: Password Reset Bug. by Menthix on 11-23-2009 at 06:29 PM
quote:No. Whoever invented security questions should be shot.
Originally posted by blessedguy
custom security question
quote:
Originally posted by person who should be shot
Hey, if you forgot your password you could just access your account with a second password which is easier to guess or socially engineer.
I always randomly hit my keyboard if a service requires you set up a secret question/answer. If the ever make me answer the question the service wasn't worth using in the first place.
RE: Password Reset Bug. by toddy on 11-23-2009 at 07:30 PM
its a good thing tbh, help you to remember all your accounts 
RE: Password Reset Bug. by Lou on 11-23-2009 at 07:33 PM
quote:You could very easily have a "click this link to set a new password" link if they just input the username. Thus, if you get it, and it wasn't you, you can click the report link, or do nothing at all.
Originally posted by WDZ
quote:Because it doesn't know which account you forgot the password for.
Originally posted by matty
Its a crappy system and sends emails to all accounts registered under that email.
If the form only asked for a username, someone could send me a password reset email without even knowing the address I registered with, which is kinda dodgy. And if it came up with a list of usernames associated with an email address, that would be a privacy issue because there's currently no other way to search for members by email address.
I don't think entering a username is such a bad idea.
RE: Password Reset Bug. by Menthix on 11-23-2009 at 08:47 PM
I'm surprised you are allowing multiple accounts on a single emailaddress anyway 
.
RE: Password Reset Bug. by toddy on 11-23-2009 at 08:51 PM
quote:there is nothing in the rules saying u can't have multiple accounts
Originally posted by Menthix
I'm surprised you are allowing multiple accounts on a single emailaddress anyway