mailing list archives
Re: "Forgot Password" function
From: "Kevin Spett" <kspett () spidynamics com>
Date: Fri, 18 Oct 2002 15:52:15 -0400
Try the transport of the email itself is plaintext and in theory hijacking
is possible. Perhaps
tie the id to the ip addy of the person requesting it so that only the
person requesting the password
can view this link that times out after 1 use.
IP-based solutions have many problems because of NAT, user mobility, etc.
that have been discussed on this list before so I'm nto going to rehash
them. If an attacker has compromised a mailserver and knows a user has an
account with a website, requesting a new password via email would make a lot
of sense. Verification with other personal information is the way to go.