[wp-hackers] Lost Password
graeme at samurai.com
Tue Nov 15 22:03:11 GMT 2005
A proper key -- like, say, a hash of the generated password -- is as
secure as the password itself, no?
Alex King wrote:
> I like your suggestion, but it is slightly less secure. In your flow
> below, someone could theoretically type in the URL with a guessed
> forgotten password key, create a new password and get right in. By
> mailing a new password to the user, someone would have to have access to
> your mailbox to steal your password via the forgot password feature.
> On Nov 15, 2005, at 2:17 PM, John Joseph Bachir wrote:
>> 1) fill out lost password form
>> 2) system emails you a special URL to visit
>> 3) you visit the special URL
>> 4) this web page has you type in a new desired password. As a bonus,
>> it automatically logs in you too.
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
More information about the wp-hackers