Moderators mark1million Posted May 9, 2016 Moderators Report Share Posted May 9, 2016 Hey guys i recently had some malicious users causing trouble by using the forgot password function on the phpVms system and running various email addresses through the function. Basically i have disabled this function from all apart from admins as anyone that knows your email address can use the system to reset your password potentially locking you out if you miss the email, not only that if they gain access to your email then they have your whole site. The current way that the system used is too insecure which is why i have disabled it, does anyone have a better way thats been thought of and implemented? Quote Link to comment Share on other sites More sharing options...
Moderators servetas Posted May 9, 2016 Moderators Report Share Posted May 9, 2016 There are two options in that case. As soon as the user submit a password request, an email will be send with a confirmation link in order to proceed with the password update. After the use of this email, a random password can be either send to the user via email or a password update form will be shown. Alternatively, security questions can be implemented which adds much more security to the system and ensure that even if the hacker has access to the user's email, he will not be able to access the website. Quote Link to comment Share on other sites More sharing options...
Moderators mark1million Posted May 9, 2016 Author Moderators Report Share Posted May 9, 2016 Ok i would probably go with the security questions, i have already modified the registration fields and forms with extra fields in the database for required information so adding more for security questions wont be a problem, next task would be implementing the change in the code. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.