I agree with you Mike. Every week I get couple of mails from Gmail and
FB telling me that I had requested to rest my password and click on a
link to confirm the request and I simply ignore such mails as I know I
never asked to change my password. Imagine, if Gmail changes my password
every time someone go to Gmail login page enter my id and hit "Forgot
Password", I will be changing my password many times a week.
Thanks,
Raj
On Friday 05 August 2011 04:55 AM, Mike wrote:
BJ, I fail to see how this could possibly be a feature. Right now,
I'm at the level where I fiddle around with the code. As a new user,
should I be expected to have to review the code to see if it stands up
to security standards? I don't know much, but I do know when
something isn't right, and this happens to be one of those. In the
real world, people use friendly names to send/receive email and
conduct business. They shouldn't be expected to remember a user name
like mikej49q because an application needs obfuscation to protect
itself.
I would hope that maybe this feature could be reduced to a certain
sub-set of users, whose login name is optionally in the format of an
email address, and maybe require a capta code to prevent dictionary
attacks.
On Thu, Aug 4, 2011 at 10:56 AM, BJ Freeman<[email protected]> wrote:
Yes david if it is a bug, but by your definition many times this is a
fearture.
My point of the second paragraph that you did not include
1)part of the solution providing a way to circomvent security isssues
not part of ofbiz but how one sets up ofbiz
2)the issues are addressed if one reads the code.
David E Jones sent the following on 8/4/2011 8:38 AM:
On Aug 4, 2011, at 6:39 AM, BJ Freeman wrote:
It sounds like you speaking of Ofbiz as a finished product, in which
case I agree with you first paragraph. However Ofbiz is not a finished
product and is meant for Consultants to setup for end users. The
consultant should know this information and make the application they
setup for their client fully secure.
Sorry BJ, this simply isn't true. If there is something bad in the project it
should be changed.
By your line of reasoning everyone doing consulting based on OFBiz should keep
a big list of issues to address every time they do anything for a client…
wouldn't it be better to just fix those things and be done with it?
-David
