Libravatar (obsolete)

Strengthen the password-reset-by-email feature

Bug #1026982 reported by François Marier on 2012-07-20

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Libravatar (obsolete)	Confirmed	High	Unassigned

Bug Description

Here are some good tips on how to strengthen passwords resets via email:

http://security.stackexchange.com/questions/1918

See original description

Tags:

Revision history for this message

François Marier (fmarier) wrote on 2016-01-19:

Now that Persona support is gone (bug 1533018), we need to make sure that password resets are solid.

Currently, the logic in account/forms.py::PasswordResetForm() is broken because it assumes that if you don't have a password set, you shouldn't be able to reset it and instead use OpenID or Persona to login.

description:

updated

François Marier (fmarier) on 2016-01-19

Changed in libravatar:
assignee:	nobody → François Marier (fmarier)
status:	Triaged → Confirmed
importance:	Low → High

Revision history for this message

François Marier (fmarier) wrote on 2017-05-29:

This is now built into Django 1.11: https://docs.djangoproject.com/en/1.11/topics/auth/default/#django.contrib.auth.views.PasswordResetView

tags:

added: buster

Revision history for this message

François Marier (fmarier) wrote on 2017-05-29:

This is another very good writeup: http://www.troyhunt.com/2012/05/everything-you-ever-wanted-to-know.html

François Marier (fmarier) on 2017-09-01

tags:	added: passwords
Changed in libravatar:
assignee:	François Marier (fmarier) → nobody

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.