in reply to Re^3: It's been ten years ...
in thread It's been ten years ...
Yes, of course. You can improve easily by creating a fresh random password and mailing that to the user, and then store it encrypted.No, please no!
(I know many websites do this.)
So everone claiming "I am user X and I forgot my password" can now reset my password, and I am locked out and have to check my email.
The minimum password procedure should be: store an intermediate token, send the user a link with that token and then let them enter their new password. And that means, we need a new endpoint *and* a new database table probably. So it's not that trivial.
|
---|
Replies are listed 'Best First'. | |
---|---|
Re^5: It's been ten years ...
by LanX (Saint) on Jul 30, 2019 at 12:18 UTC |
In Section
Perl Monks Discussion