Tony wrote: > Or... > > Ask the subscriber id (line number), and if valid, ask the > registered email address (making the visitor supply two > pieces of information).
Hmm. Also prompting for an email address sounds tempting. (Remember, the password will not be changed until the link send to the email address is followed.) So this would prevent a malicious person from causing the system to send unwanted emails, but only for users whose email address is not known by the malicious person. I don't think this condition is worth the added complexity. > Maybe have them set a secret question like favourite dog too, > before the email will be generated and sent to them. I am not in favour of this. Secret questions would add complexity, and I suspect most of them are either written down or forgotten. Todd wrote: > Or, if they lose their password, they can select a link to > reset the password. This is my objection with the original proposal. We need some barrier to keep malicious persons from trivially causing PINs to be changed. With my proposed change, a malicious person will need to learn the secret link that the system emails, before a password is changed. (Not impossible to hack/sniff, but at least it's not trivial.) -Paul [email protected] _______________________________________________ sipx-dev mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-dev Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-dev sipXecs IP PBX -- http://www.sipfoundry.org/
