Change password after clicking on reset link in email

Note: We are moving the topics of this forum and it will be deleted at some point

Publish your own request for comments/change or patches for the next version of phpBB. Discuss the contributions and proposals of others. Upcoming releases are 3.2/Rhea and 3.3.

User avatar
Pony99CA
Registered User
Posts: 986
Joined: Sun Feb 08, 2009 2:35 am
Location: Hollister, CA
Contact:

Re: Change password after clicking on reset link in email

Post by Pony99CA »

Danielx64 wrote:Have anyone been to a site there you answer a question when you change your password? (to prevent bots from doing it)
Do you mean a CAPTCHA or a security question? CAPTCHAs can be verified automatically, but security questions are usually chosen by the user and would require new User Control Panel settings.

Steve
Silicon Valley Pocket PC (http://www.svpocketpc.com)
Creator of manage_bots and spoof_user (ask me)
Need hosting for a small forum with full cPanel & MySQL access? Contact me or PM me.

Danielx64
Registered User
Posts: 304
Joined: Mon Feb 08, 2010 3:42 am

Re: Change password after clicking on reset link in email

Post by Danielx64 »

Yes CAPTCHAs

Alien_Time
Registered User
Posts: 165
Joined: Fri Apr 05, 2013 3:38 am

Re: Change password after clicking on reset link in email

Post by Alien_Time »

Danielx64 wrote:Have anyone been to a site there you answer a question when you change your password? (to prevent bots from doing it)
That extra step is not gonna help and infact it can be a pain. First of all, captcha's are not that hard for bots to crack now a days. Also since the activations email link is only gonna be emailed to the users registered email address, bots can only do that for their accounts. I don't see a need for an additional question on that screen.

User avatar
Master_Cylinder
Registered User
Posts: 361
Joined: Wed Jul 31, 2013 9:54 pm

Re: Change password after clicking on reset link in email

Post by Master_Cylinder »

Some bots can also figure out some simple Q&A tests like 2+2 = ? Or what is the capital of X?
These kids today...
Buy them books, send them to school and what do they do?

They eat the paste. :lol:

Danielx64
Registered User
Posts: 304
Joined: Mon Feb 08, 2010 3:42 am

Re: Change password after clicking on reset link in email

Post by Danielx64 »

Master_Cylinder wrote:Some bots can also figure out some simple Q&A tests like 2+2 = ? Or what is the capital of X?
That's why you do not pick questions like that.

User avatar
Master_Cylinder
Registered User
Posts: 361
Joined: Wed Jul 31, 2013 9:54 pm

Re: Change password after clicking on reset link in email

Post by Master_Cylinder »

Danielx64 wrote:
Master_Cylinder wrote:Some bots can also figure out some simple Q&A tests like 2+2 = ? Or what is the capital of X?
That's why you do not pick questions like that.
I don't but some people do. Doesn't change the fact that neither captcha nor Q&A are secure anymore.
These kids today...
Buy them books, send them to school and what do they do?

They eat the paste. :lol:

User avatar
Ger
Registered User
Posts: 293
Joined: Mon Jul 26, 2010 1:55 pm
Location: 192.168.1.100
Contact:

Re: Change password after clicking on reset link in email

Post by Ger »

Q&A is safe. Bad questions are not.

Having a Q&A with a question like "2+2" is like having a lock with the key in it. That doesn't make it a bad lock. The owner is just foolish.
Above message may contain errors in grammar, spelling or wrongly chosen words. This is because I'm not a native speaker. My apologies in advance.

User avatar
Master_Cylinder
Registered User
Posts: 361
Joined: Wed Jul 31, 2013 9:54 pm

Re: Change password after clicking on reset link in email

Post by Master_Cylinder »

You can't force admins into writing better Q&A questions, especially if they don't know better, so it's not safe. You can blame the admin but it still has potential issues. The better password recovery type Q&A systems even allow the user to write their own questions but there would be nothing to stop a user from writing a bad question there either.

Perhaps if phpBB came up with 10 decent "default" questions and allowed users to write their own as one of the options it would be safer but there is still no guarantee that the users email system hasn't been compromised either. I suppose specialty situations can just be dealt with manually by an admin.
These kids today...
Buy them books, send them to school and what do they do?

They eat the paste. :lol:

User avatar
Master_Cylinder
Registered User
Posts: 361
Joined: Wed Jul 31, 2013 9:54 pm

Re: Change password after clicking on reset link in email

Post by Master_Cylinder »

Danielx64 wrote: New way:
User forget password -> request new password->clicks on link in email-> Get taken to a page where he can type in a new password -> login with new password.

I think that this is a better way than what https://area51.phpbb.com/phpBB/viewtopi ... 13&t=44919 was trying to do.
Did this get approved yet? ;)
These kids today...
Buy them books, send them to school and what do they do?

They eat the paste. :lol:

Post Reply