I guess if you tie you Gmail or Facebook into the login proecess of ofbiz I can see a relevance. How many such request do you get from your [email protected]. Yourdomain being the one you have.
Raj Saini sent the following on 8/4/2011 6:24 PM: > I agree with you Mike. Every week I get couple of mails from Gmail and > FB telling me that I had requested to rest my password and click on a > link to confirm the request and I simply ignore such mails as I know I > never asked to change my password. Imagine, if Gmail changes my password > every time someone go to Gmail login page enter my id and hit "Forgot > Password", I will be changing my password many times a week. > > Thanks, > > Raj > > On Friday 05 August 2011 04:55 AM, Mike wrote: >> BJ, I fail to see how this could possibly be a feature. Right now, >> I'm at the level where I fiddle around with the code. As a new user, >> should I be expected to have to review the code to see if it stands up >> to security standards? I don't know much, but I do know when >> something isn't right, and this happens to be one of those. In the >> real world, people use friendly names to send/receive email and >> conduct business. They shouldn't be expected to remember a user name >> like mikej49q because an application needs obfuscation to protect >> itself. >> >> I would hope that maybe this feature could be reduced to a certain >> sub-set of users, whose login name is optionally in the format of an >> email address, and maybe require a capta code to prevent dictionary >> attacks. >> >> On Thu, Aug 4, 2011 at 10:56 AM, BJ Freeman<[email protected]> wrote: >>> Yes david if it is a bug, but by your definition many times this is a >>> fearture. >>> My point of the second paragraph that you did not include >>> 1)part of the solution providing a way to circomvent security isssues >>> not part of ofbiz but how one sets up ofbiz >>> 2)the issues are addressed if one reads the code. >>> >>> David E Jones sent the following on 8/4/2011 8:38 AM: >>>> On Aug 4, 2011, at 6:39 AM, BJ Freeman wrote: >>>> >>>>> It sounds like you speaking of Ofbiz as a finished product, in which >>>>> case I agree with you first paragraph. However Ofbiz is not a finished >>>>> product and is meant for Consultants to setup for end users. The >>>>> consultant should know this information and make the application they >>>>> setup for their client fully secure. >>>> Sorry BJ, this simply isn't true. If there is something bad in the >>>> project it should be changed. >>>> >>>> By your line of reasoning everyone doing consulting based on OFBiz >>>> should keep a big list of issues to address every time they do >>>> anything for a client… wouldn't it be better to just fix those >>>> things and be done with it? >>>> >>>> -David >>>> >>>> > >
