Ineiev wrote: > In savane/frontend/php/account/register.php, I see a message > like "For better security we advise you to change your password > as soon as possible." (it's sent in the confirmation message).
That is in the link sent by email to the person to confirm their email address, right? > I wonder why; is the procedure for changing the password > inherently more secure? The link sent to you by email may be easedropped upon. But when you connect with https then if you trust the CA (certificate authority) that signed the https certificate (historically there have been problems with that) then you can trust that your connection to the site is secure. Changing your password over https should be very secure. More so than if anything is sent to you by email. Also I will note that there have been some incidents at other sites where SMS text messages were subverted. Therefore SMS tokens are not good security either. Bob
