[wp-hackers] Lost Password
Jeff Minard
jeff at jrm.cc
Thu Nov 17 17:35:28 GMT 2005
Alex King wrote:
> I like your suggestion, but it is slightly less secure. In your flow
> below, someone could theoretically type in the URL with a guessed
> forgotten password key, create a new password and get right in. By
> mailing a new password to the user, someone would have to have access to
> your mailbox to steal your password via the forgot password feature.
>
http://mydomain.com/wp-login?action=reset&key=6502f1bd3cd9f03ff97f5f6a777a8e455bbd7ca2
Note, that the key will only exists if it has been requested. This seems
just as secure as a password to me.
You could brute for the login script, or you could brute force the ...
login script.
And if you give the key an expiration of, say, 5 minute it'd be all the
more effective. (Maybe 10 -- who can't get an email in 10 minutes...)
Jeff
More information about the wp-hackers
mailing list