send 2 emails, the 1st informing that passwd reset is activated and a
following email will contain the temp. passwd.
then send the passwd in the 2nd email. And if the 2nd email does not
mention an acct name, then its reasonably safe.
2010/10/26 Jos=E9 Romero <jose.cyb...@gmail.com>:
> El Tue, 26 Oct 2010 16:57:10 +0200
> Alexander Burger <a...@software-lab.de> escribi=3DC3=3DB3:
>> Hi Jos=3DC3=3DA9,
>> > 1. When the user presses reset pass the button on a valid user,
>> > generate a random password.
>> > 2. Store it in a special field in the User object (rpass?) along
>> > with the date of which that random pass was generated (rdate?)
>> > 3. Send it to the user in an email like this:
>> > Subject: Password reset for user (username) at (name-of-the-site)
>> > ...
>> Thanks, this sounds reasonable.
>> The only problem I see is sending the new password in an unencrypted
>> email. Shouldn't be a big risk, I suppose. Otherwise, we could extend
>> the user account so that everyone can deposit his public key, and
>> enable this password reset functionality only for people who have
>> done so.
>> - Alex
> Well many sites use this scheme, some with special links and such, the
> risk is greatly disminished though because the user just needs to log
> in to render those credentials invalid.
> UNSUBSCRIBE: mailto:picol...@software-lab.de?subject=3dunsubscribe
Boh Heong, Yap