even if someone request a password for admin it will only go to the email account specified, in the profile.
I do run a nightly service that is like my own dictionary service for passwords that are common. Then the systems sends a password reset to the email. BJ Freeman sent the following on 7/30/2011 10:22 AM: > They may have a party Sales, at least in my systems, the login is email > addresses. it is harder for dictionary attracts to be effective. > > > Mike sent the following on 7/30/2011 7:41 AM: >> There must be something more. Any organization would have generic >> logins, like "sales", or it would be easy to guess employee logins >> from the "about us" page. It makes sense that the password reset >> should be intended ONLY for customers, not (any) system-type login. >> >> I would think that the password reset feature should be limited to >> certain roles, like "Customer". >> >> On Sat, Jul 30, 2011 at 4:00 AM, BJ Freeman <[email protected]> wrote: >>> for production systems do not use "admin" as a lognin. >>> it is never created. >>> >>> Mike sent the following on 7/30/2011 12:10 AM: >>>> Why is it that *any* user can, using the password reset or "Forgot >>>> Your Password" can actually force "admin" to change the password? Is >>>> there a way to turn this off? >>>> >>> >> >
