[feature-proposal] Forgot password improvements

Caio Tiago Oliveira caiotiago at colivre.coop.br
Mon Nov 11 19:50:45 BRST 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/11/2013 06:28 PM, Rodrigo Souto wrote:
> Indeed...
> 
> If there are private confirmation fields (email itself is private
> by default now) we would leak this information through this form.

We could just ask for more data from user. For instance, asking for
another field of the available ones until there is only one left.

The only risk would be if something like this:
 - the only three available fields are: username, email and nickname
(let's presume it's unique, but it can be any random string without
spaces, @ included)
 - the user forgot his username and nick, but remember his email (of
course)
 - some other user has the email of the former one as his nick (just
because he can, but let's assume it could be an attack of someone
trying to sabotage the community)
 - the user wouldn't be able to recover his username/password

Email is the only unique data which you may require the user to know
(otherwise he won't see the email with the instructions). I don't see
any added value to ask for any random thing when the user must already
know his email anyway.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJSgVE1AAoJEMzgGcmGlt4Bs2IP/iYJM0h/eFbdS1ZRlHKcqlhZ
v0KV1DAVqdiQksGkAN1UsLFF/cOkXS5QKOam6DZ3SbxKGxCpLUGfhJVqyV17+kUu
KJESjqRcwss317+eQGJX+fCLfel3MaYut5+cfyOntdEuSwYJF96K1PMEZFeV/Hhg
jl5PeJoFFhx4W8Z/pvt31ZgK0JDngVK0NMLxrQ0s+ufyM4h8reQxw5rb6cg3416c
mxL/dyq9wk12HFcYbgXzBIgUcBhKICx668FpSUxomz9YfWd0GptYca8I9TC+lKVQ
z4SR+NONhe18t1a1NIsGx9k4eMAMTQ39Z7YVT2zgVkVaWtD8qf+cA+MTQQDnGTLP
lhClbYb7x3joLp5Dk42uIkLxUbX4wWwIt1Qm6HNUZuVWD0iAYk2U3Jd3ttgW8xMM
Gml4e0xT8YO6wYek+6unm5v3t+KHr7fPEf7yVYcFpOMbMrfkTQmNKWnlpSvKKnte
v0nlbf2LmssJYW7OzYVvAN97kpe5n/NuO/jY/zwNRCuBXhDARQrYuGQIN3+1W56O
hKnBCdJg/PzxtHkWoqugyc485AqlFfwtvobuB6nG1o1AsAUmZHiwjuaGu/qfpaFH
bzw3wKZ0fvPpx/sN99qtlVshQNV0tEJzYKE7lMS2+POqy6Q8GR6IGOp+CH7MdLuj
6ZlKuIJ4Cj14+OLAW775
=QEA5
-----END PGP SIGNATURE-----

More information about the Noosfero-dev mailing list