On 10/8/07, Marty Alchin <[EMAIL PROTECTED]> wrote: > His point is that anyone could trigger that email. And, while you're > right that only the true user would receive the email, the target > user's password will get reset regardless. So, if I didn't like you, I > could put in your email address, and even though I can't access your > account, I can still lock you out until you receive the email.
This requires that they know your email address. And you get the email with the new password, so it's not like you're "locked out" -- you just have to check your email. The chance of someone actually doing this, combined with the fact that it doesn't create a security problem, only a minor inconvenience, would be enough for me to rule it insignificant. Plus, he alternative is to either store plaintext passwords or provide a way to recover plaintext passwords, both of which are not going to happen in any way, shape or form, because they *do* present extremely serious security problems. -- "Bureaucrat Conrad, you are technically correct -- the best kind of correct." --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
