ResetPassword allows users to let their password reset in case they have forgotten their password.
Note: you must have at least one valid registered e-mail to be able to reset your password. If none of your registered e-mail addresses is valid, and you have forgotten your password, contact webmaster@exampleNOSPAM.com.
- Where are multiple e-mail adresses stored?
- It would be much friendlier if the e-mail adress is shown here. Otherwise the user has to check elsewhere if the email address is correct. And s/he will be never sure if the e-mail address on the user page is used or perhaps a different one.
Anyone can use this page to reset the password of someone else. It would be better if
- the user with the given LoginName was sent an e-mail
- the user clicks on the link in the e-mail
- the user lands on a feedback page stating that the password has been reset
Also all related links on the page should be made less distracting.
AC
E-mail addresses are not shown precisely because of the security implications of showing them.
Multiple email addresses are stored as a list. As the prompt says on
ChangeEmailAddress: "New e-mails (space-separated list):"
When a user visits that page, they are shown their registered Email addresses.
Yes, anyone can reset anyone else's password; of course they can. How else is someone who has forgotten their password supposed to request a password reset?
The user with the given LoginName
is sent an email, with the new password. Further complicating the reset process (requiring a second verification step) is IMHO unnecessary.
I can agree with the idea that related links should be improved. But it's Low priority.
CC
How else is someone who has forgotten their password supposed to request a password reset? Like step 1-3 above. This is not
further complicating, but normal process flow.
AC
this appears to be how it works now...
Dear New User
Login name "NewUser"
Your password has been changed to "8920941650".
Please visit http://t42p/cgi-bin/TWiki4/bin/view/TWiki/ChangePassword?username=NewUser to change your password to something more memorable for you.
If you have any questions, please contact 0.
closing
--
SvenDowideit - 02 Jun 2007