This does make it harder to write a bot which breaks into the site,
but
doesn't add much security beyond the random password implementation
that's already there. True, this prevents the case where _you_
request
a reset and a lurking, patient attacker with a packet sniffer could
grab the (cleartext) temporary password and get to the site before
you,
but IMO that is not worth the extra effort for that little slice of
security when a lazier attacker with that same packet sniffer could
request a reset of your account and perform all of this while you
sleep. Smart crackers choose to attack in the second way, since that
requires the same tools and knowledge but not as much patience.
There's no temporary password. The user is allowed to change it
themselves (over SSL, where the cookie is sent and received), and it
never ends up in the email.
--
Erik Hollensbe
[EMAIL PROTECTED]
_______________________________________________
PDXRuby mailing list
[email protected]
IRC: #pdx.rb on irc.freenode.net
http://lists.pdxruby.org/mailman/listinfo/pdxruby
