<Snip> > Because resetting someone's password to something that is basically > public information, their phone number, is asking for accounts to be > hijacked.
If that is the case you could argue that the setting shouldn't exist in the first place. What is worse? A database full of users who have never changed their password from the default phone number or a few manually reset passwords? Bob Wicksall Systems Administrator Pioneer Library System 2557 State Rt. 21 Canandaigua, New York 14424 ----- Original Message ----- > From: "Jason Stephenson" <jstephen...@mvlc.org> > To: open-ils-general@list.georgialibraries.org > Sent: Friday, August 3, 2012 9:27:00 AM > Subject: Re: [OPEN-ILS-GENERAL] Password reset uses phone number fails: EG2.2 > > Quoting Thomas Berezansky <tsb...@mvlc.org>: > > > All future resets would still be random. > > Because resetting someone's password to something that is basically > public information, their phone number, is asking for accounts to be > hijacked. > > > -- > Jason Stephenson > Assistant Director for Technology Services > Merrimack Valley Library Consortium > Chief Bug Wrangler, Evergreen ILS >