[wp-hackers] Lost Password

Jeff Minard jeff at jrm.cc
Thu Nov 17 17:35:28 GMT 2005

Alex King wrote:
> I like your suggestion, but it is slightly less secure. In your flow
> below, someone could theoretically type in the URL with a guessed
> forgotten password key, create a new password and get right in. By
> mailing a new password to the user, someone would have to have access to
> your mailbox to steal your password via the forgot password feature.


Note, that the key will only exists if it has been requested. This seems 
just as secure as a password to me.

You could brute for the login script, or you could brute force the ... 
login script.

And if you give the key an expiration of, say, 5 minute it'd be all the 
more effective. (Maybe 10 -- who can't get an email in 10 minutes...)


More information about the wp-hackers mailing list