Jump to content

Recommended Posts

  • Moderators
Posted

Hey guys i recently had some malicious users causing trouble by using the forgot password function on the phpVms system and running various email addresses through the function.

Basically i have disabled this function from all apart from admins as anyone that knows your email address can use the system to reset your password potentially locking you out if you miss the email, not only that if they gain access to your email then they have your whole site.

The current way that the system used is too insecure which is why i have disabled it, does anyone have a better way thats been thought of and implemented?

  • Moderators
Posted

There are two options in that case. As soon as the user submit a password request, an email will be send with a confirmation link in order to proceed with the password update. After the use of this email, a random password can be either send to the user via email or a password update form will be shown. Alternatively, security questions can be implemented which adds much more security to the system and ensure that even if the hacker has access to the user's email, he will not be able to access the website.

  • Moderators
Posted

Ok i would probably go with the security questions, i have already modified the registration fields and forms with extra fields in the database for required information so adding more for security questions wont be a problem, next task would be implementing the change in the code.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...