Not quite: “To limit denial-of-service attacks the application should email a link to the user with a random token, and only if the user visits the link then the reset procedure is completed. This ensures that the current password will still be valid until the reset has been confirmed.” https://www.owasp.org/index.php/Testing_for_weak_password_change_or_reset_functionalities_(OTG-AUTHN-009)
I asked a similar question the other day and was pointed to SonaType’s Nexus and to StormPath but it seems like a common ask that Shiro could potentially be more helpful with, Regards, Richard From: I PVP [mailto:[email protected]] Sent: Tuesday, August 2, 2016 2:25 PM To: [email protected] Subject: What is the recommended approach to implement password reset with Shiro ? What is the recommended approach to implement password reset functionality with Shiro ? Should I just generate a new password, update the database, send to the end user over email and force the user to change on the next login? Or Is there something more elegant that should be done using Shiro ? Thanks IPVP
