quote:
Originally posted by V@no
after user submitted their email address, send a link (with some unique hash/id, which could be a MD5 hash from old email + new email, granted it would require an aditional field in the users database). The user then will require visit that address where they can change their password.
... although it shouldn't be a hash of the old and new email address because that can easily be guessed, calculated and abused too. It should be like in any other 'forgot pwd' system: just a random GUID, impossble to guess, and which expires after a very short time. Otherwise it will not solve your point B either.
And as for your point A: that can't be solved like that in a secure way. The user must always have access to the email address he provided when he signed up, otherwise he is out of luck. The ability to enter an alternative email address to send the link to, without any further validation, is a very massive 'no-no' and an open door for hacking. Stuff like this is usually solved by setting an alternative email address in your user profile _after_ you have successfully signed in (thus with the correct password); it is never asked, and should never be asked when you click a "forget pwd" link. The user should be able to select the option to send the link to his lternative email though, provided he set one up before.
Either way, yes, that "forget pwd" system should indeed be revised too.
/ 
