[prev] [thread] [next] [lurker] [Date index for 2005/03/22]
At 15:19 -0600 2005.03.22, Peter da Silva wrote: >> Yes. Trolls do it on Slashdot just to annoy the rightful user. > >But requiring a troll to jump through an easy hoop like that won't >stop the troll. It slows them down when they try to automate it with a script, which they have done in the past. >> We used to automatically reset the password when a new one was requested >> ... that was just asking for abuse. Now, we create a new password, but >> don't activate it until it is used. > >That, or create a cryptographic key that can be used to reset the password. Yes, that is another option. Not much difference. >If I meant "your old password" I'd say "your old password". Yes, but what you said didn't make sense, so I tried to guess. >> If you mean sending a new one vs. sending a link to get a new one, there's >> not a signigicant difference between the two, that I can see. > >Well, the difference is that when you send the link you only actually change >the password when the link is used, so it can't be used to DOS the account >owner. The same thing when sending a new one, for us. The new password is not active until it is used the first time, so the account owner can just ignore the email. >But either of them fall under "MAILTO", either are quite acceptable. But you were talking about the password reset link as though it didn't fall under "MAILTO." -- Chris Nandor pudge@xxxxx.xxx http://pudge.net/ Open Source Technology Group pudge@xxxx.xxx http://ostg.com/There's stuff above here
Generated at 05:00 on 02 Apr 2005 by mariachi 0.52