To LUGNET HomepageTo LUGNET News HomepageTo LUGNET Guide Homepage
 Help on Searching
 
Post new message to lugnet.admin.suggestionsOpen lugnet.admin.suggestions in your NNTP NewsreaderTo LUGNET News Traffic PageSign In (Members)
 Administrative / Suggestions / 114
113  |  115
Subject: 
 change password & lost password
Newsgroups: 
 lugnet.admin.suggestions
Date: 
 Fri, 12 Apr 2002 18:29:58 GMT
Viewed: 
 1152 times
  
Almost every website that uses passwords has an ability to change the
password, and a "Forgot my password" link on the login screen.  LUGNET
doesn't (that I can find, anyway).  I think this is a serious
shortcoming, since the only way to get a password reset involves
having it be sent by the admins in plaintext e-mail, which is very
poor security.

The change password option should be visible on the user's 'edit my
profile' page, and should require re-entering the old password.

The "forgot my password" link should appear on the login page.  If you
click it, it should take you to a page where you can enter your member
number (if you forgot *that*, then maybe a way to search by e-mail
address or real name?).  The most secure method that I'm aware of
involves sending an e-mail to the user with a special URL that they
can then visit to enter a new password.  Once they have done so, that
special URL is no longer valid.  This way the password is never sent
in e-mail.

--Bill.

--
William R Ward            bill@wards.net          http://www.wards.net/~bill/
-----------------------------------------------------------------------------
     If you're not part of the solution, you're part of the precipitate.



Message has 2 Replies:
  Re: change password & lost password
 
(...) There is a change password page. It's a bit hard to find, though. This is the page to change your password: (URL) agree that a link to it from the 'edit my profile' page would be handy. Hope that helps. (23 years ago, 12-Apr-02, to lugnet.admin.suggestions)
  Re: change password & lost password
 
(...) How is sending a URL better than sending a password? I assume that once you get a new password in the mail, the first thing you do is change it anyway, right? So what's the difference? Dan PS. I agree that sending passwords in plaintext is (...) (23 years ago, 12-Apr-02, to lugnet.admin.suggestions)

5 Messages in This Thread:


Entire Thread on One Page:
Nested:  All | Brief | Compact | Dots
Linear:  All | Brief | Compact
    
Custom Search

©2005 LUGNET. All rights reserved. - hosted by steinbruch.info GbR