Improve password reset (new: security concerns here)
Bug #457371 reported by
root
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
psiphon |
Fix Committed
|
Unknown
|
Unassigned |
Bug Description
Instead of being a checkbox on the login page, password reset should be a separate page explaining what will happen and confirming that that user wants to proceed.
It should allow the use of a username and not just an email address (which is a bug the current code has). (But it should also detect if the username has an email address associated with it.)
Changed in psiphon: | |
status: | New → Confirmed |
tags: | added: poser |
tags: | removed: poser |
visibility: | private → public |
tags: | added: category1 |
To post a comment you must log in.
* Security concerns here
* If you know a valid user email, you can flood their email box as there's no throttle or daily limit
* There's an email probing attack here as the system tells you when you enter a valid/invalid email address