If a random person puts in an email address, the email must exist in the system otherwise they will get a meessage "unable to send email". If the hacker puts in a valid email, then the person with that email will get the reset message, but since the person did not initiate the password reset they know someone is tinkering.
make sense? -wes On Tue, Nov 24, 2009 at 11:30 PM, Jonathan Lundell <jlund...@pobox.com> wrote: > > On Nov 24, 2009, at 9:14 PM, Wes James wrote: > >> I've been working on an app that has this type of password reset: >> >> 1. click on password reset >> 2. user types in email address >> 3. the user gets an email that has a link that takes them back to the >> web2py site >> 4. a new password is typed in and this resets the password. >> >> This allows for a more secure password reset. Would you like this >> code to use for password reset in w2p? > > What happens when a bad guy tries it? > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "web2py-users" group. To post to this group, send email to web2py@googlegroups.com To unsubscribe from this group, send email to web2py+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/web2py?hl=en -~----------~----~----~----~------~----~------~--~---
