Page 1 of 1

Using only e-mail address to "I forgot my password"

Posted: Sun Jul 14, 2013 8:43 pm
by robra
How the user will get the new password if only remember your e-mail address and not your username :?:
So, will be better to user to inform only the your e-mail account to receive your new password.

Thanks.

Re: Using only e-mail address to "I forgot my password"

Posted: Mon Jul 15, 2013 4:03 pm
by brunoais
The current system allows two different users to have the same e-mail address. That's why it is like that currently.
Anyway, there's already an RFC at area51 about this and one of the ideas there is to make it this way and then send the possibility for all usernames that has that e-mail.

Re: Using only e-mail address to "I forgot my password"

Posted: Mon Jul 15, 2013 4:15 pm
by nickvergessen
brunoais can you link to the RFC?

Re: Using only e-mail address to "I forgot my password"

Posted: Mon Jul 15, 2013 6:19 pm
by brunoais

Re: Using only e-mail address to "I forgot my password"

Posted: Tue Jul 16, 2013 6:08 pm
by keith10456
This makes it easier get into someone's account.

Re: Using only e-mail address to "I forgot my password"

Posted: Tue Jul 16, 2013 6:36 pm
by Hardolaf
Limiting this feature to unique e-mail addresses might be a better method.

Re: Using only e-mail address to "I forgot my password"

Posted: Tue Jul 16, 2013 8:57 pm
by brunoais
Hardolaf wrote:Limiting this feature to unique e-mail addresses might be a better method.
How would you do with installations with multiple users with the same e-mail?

Re: Using only e-mail address to "I forgot my password"

Posted: Wed Jul 17, 2013 7:16 am
by nickvergessen
keith10456 wrote:This makes it easier get into someone's account.
You would still need access to the email account of your victim, right?

Re: Using only e-mail address to "I forgot my password"

Posted: Wed Jul 17, 2013 3:58 pm
by callumacrae
nickvergessen wrote:
keith10456 wrote:This makes it easier get into someone's account.
You would still need access to the email account of your victim, right?
Yep, and if you've got that you've probably got their email address anyway.

Re: Using only e-mail address to "I forgot my password"

Posted: Thu Jul 18, 2013 3:15 am
by Hardolaf
brunoais wrote:
Hardolaf wrote:Limiting this feature to unique e-mail addresses might be a better method.
How would you do with installations with multiple users with the same e-mail?
As I said, unique e-mail addresses. So if the same e-mail address is used for two or more accounts it would not work.