Item10206: Reset Password makes it too easy to reset another user's password
Priority: Normal
Current State: Confirmed
Released In: n/a
Target Release: minor
For public Foswiki sites it is too easy to reset the password of other wiki users:
- In the login screen, click on "I forgot my password"
- On the Reset Password page, enter anyone's wiki name and click "Reset password"
- That person now receives an email:
Dear XXX
Login name "XXX"
Your password has been changed to "CJ0U35FO".
Please visit http://site.com/System/ChangePassword to change your password to something more memorable for you.
If you have any questions, please contact me@site.com.
Instead, Foswiki should send out a request to change the password, much like the registration confirmation:
- In the login screen, click on "I forgot my password"
- On the Reset Password page, enter anyone's wiki name and click "Send request"
- The email should go along these lines:
Dear XXX
You (or perhaps someone else) has send a request to reset your password.
If this is a valid request, follow up by visiting http://site.com/System/ResetMyPassword?secretcode=XTRDQUWYS
If you have any questions, please contact me@site.com.
- The user visits that page and clicks "Reset password"
- In the confirmation screen, the user can change the password to something memorable
--
ArthurClemens - 29 Dec 2010