Password-change requests: send "password-change link" rather than the actual password? Reported by: **** Owned by: **** Priority: major Milestone: Component: Business Requirements Version: Keywords: 2009-q2 Cc: Origin: Customer Request Estimate:
Due Date: 200X/xx/xx Software Components: Management System
% Complete: 0% Description ¶
Isn't this what most sites do, now days?
* I submit the password-change request
* I get an email with an internal HTTPS password-change link
o Links are long enough that they're difficult to enumerate
o Links are valid for a short time (one week?)
* I follow the link to change my password
o It only works for that user
o I may or may not be quizzed about some "security questions"
+ Should we make them confirm the email address?
o I choose (and confirm) a new password
Merging this ticket here:
Due Date: 200X/xx/xx Software Components: Management System
% Complete: 0%
* I submit the password-change request
* I get an email with an internal HTTPS password-change link
o Links are long enough that they're difficult to enumerate
o Links are valid for a short time (one week?)
* I follow the link to change my password
o It only works for that user
o I may or may not be quizzed about some "security questions"
+ Should we make them confirm the email address?
o I choose (and confirm) a new password