At the moment, in order to recover an account, one must provide both a username and email address. phpBB then sends an email with a password and link to activate said password (if you don't click the link, the password remains unchanged).
This behavior is not ideal for several reasons:
1) Some people use multiple email addresses and must attempt to guess which one they used.
2) If you forget your username, you cannot recover the account
The options are:
A) Leave the current behavior as is
B) Allow an account recovery email to be triggered with either a username or an email address
C) Something else
One concern is that Yahoo, for one, is recycling old email username, meaning that email addresses can no longer be used as guaranteed identifiers. On the other hand, phpBB refaces all emails with "Hello <username>", so if someone recovers an email account belonging to someone else, and they receive any email from the board, the new owner of the account has everything they need to recover it anyway.
Another concern is that since memberlists are generally accessible to all members of a board, someone can mass generate account reset emails if only the username is needed to do so.
Intelligent thoughts on this are welcome.
[RFC] Rethink account recovery options
-
Marshalrusty
- Project Manager
- Posts: 273
- Joined: Thu Oct 27, 2005 1:45 am
-
EXreaction
- Registered User
- Posts: 1555
- Joined: Sat Sep 10, 2005 2:15 am
Re: [RFC] Rethink account recovery options
Generally, websites use something like:
Email or SMS
Username + Security question/answer
I think just using the email address alone is about the easiest thing for us as it doesn't require we add other features (such as a security q&a). If a user's email account is lost or compromised, getting access to phpBB forums the user may have accounts on seems to me to be of relatively little concern. If the attack were to be targeted/intentional to get access to a specific board, they'd already know the username, so requiring that doesn't help. Otherwise the user would need some sort of bot to attempt to find the username on any forum they know of (does not seem very useful or effective at getting anything).
Email or SMS
Username + Security question/answer
I think just using the email address alone is about the easiest thing for us as it doesn't require we add other features (such as a security q&a). If a user's email account is lost or compromised, getting access to phpBB forums the user may have accounts on seems to me to be of relatively little concern. If the attack were to be targeted/intentional to get access to a specific board, they'd already know the username, so requiring that doesn't help. Otherwise the user would need some sort of bot to attempt to find the username on any forum they know of (does not seem very useful or effective at getting anything).
-
Pony99CA
- Registered User
- Posts: 986
- Joined: Sun Feb 08, 2009 2:35 am
- Location: Hollister, CA
- Contact:
Re: [RFC] Rethink account recovery options
For reference, there was a discussion about this on phpBB.com almost two years ago in the Why require username for forgotten password? topic.
Steve
Steve
Silicon Valley Pocket PC (http://www.svpocketpc.com)
Creator of manage_bots and spoof_user (ask me)
Need hosting for a small forum with full cPanel & MySQL access? Contact me or PM me.
Creator of manage_bots and spoof_user (ask me)
Need hosting for a small forum with full cPanel & MySQL access? Contact me or PM me.