Improve password reset (new: security concerns here)

* Security concerns here
                * If you know a valid user email, you can flood their email box as there's no throttle or daily limit
                * There's an email probing attack here as the system tells you when you enter a valid/invalid email address

Fixed the probing attack by not

Temporary solution will be implemented for April. Full impolementation put into May / 09 release.

Temporary solution gives the same feedback whether the email address is valid or not, although it's still possible that there's a timing attack as the success case sends an email (doesn't enqueue, sends -- but that may just enqueue in the SMTP server process).

                There's still no throttling or daily limit. Maybe this could piggy back on the throttling done for email verification in April/2.2.

Let's be very careful not to make this very important feature unusable in the name of fixing an email email probing vulnerability.... As it's designed, 90% of users will try to enter their usernames into this form. Are we still going to provide a sufficiently-informative error message that they won't keep doing the same thing? (See comments in [/ticket/86 Ticket #86]).

Note: password-reset spam is not just spam. It actually disables a user's account until she thinks to check her email. This is one of the reasons why want to move to an internal password-reset-link that doesn't actually change anything until it is (at least) clicked by the recipient.

Replying to [comment:5]:

                Made it so reset works if either username or email is entered. Updated the prompts to be a bit more helpful (although there's no negative feedback for invalid email or username). It's still using the Reset combo box thing on the Login page, and the whole thing still needs to be redone properly.

                > Let's be very careful not to make this very important feature unusable in the name of fixing an email email probing vulnerability.... As it's designed, 90% of users will try to enter their usernames into this form. Are we still going to provide a sufficiently-informative error message that they won't keep doing the same thing? (See comments in [/ticket/86 Ticket #86]).

Merging this ticket here:

                Password-change requests: send "password-change link" rather than the actual password?
                Reported by: **** Owned by: ****
                Priority: major Milestone:
                Component: Business Requirements Version:
                Keywords: 2009-q2 Cc:
                Origin: Customer Request Estimate:
                Due Date: 200X/xx/xx Software Components: Management System
                % Complete: 0%
                Description ¶

                Isn't this what most sites do, now days?

                * I submit the password-change request
                * I get an email with an internal HTTPS password-change link
                o Links are long enough that they're difficult to enumerate
                o Links are valid for a short time (one week?)
                * I follow the link to change my password
                o It only works for that user
                o I may or may not be quizzed about some "security questions"
                + Should we make them confirm the email address?
                o I choose (and confirm) a new password

Milestone May 2009 Release deleted

The current position of the "password reset" checkbox is where the "stay signed in" or "remember me" checkbox traditionally lives. Some people check it automatically. As part of our pasword reset redesign (even if we leave it as a checkbox, which I doubt), we should make sure to avoid this issue.

Link functionality in new Bug #576643