[PATCH] secure password reset implementation

Mads Kiilerich mads at kiilerich.com
Thu Jul 23 16:51:58 UTC 2015


On 07/23/2015 06:28 PM, Thomas De Schampheleire wrote:
> On July 23, 2015 3:53:34 PM CEST, Mads Kiilerich <mads at kiilerich.com> wrote:
>> On 07/19/2015 03:35 PM, Andrew Shadura wrote:
>>> # HG changeset patch
>>> # User Andrew Shadura <andrew at shadura.me>
>>> # Date 1431821238 -7200
>>> #      Sun May 17 02:07:18 2015 +0200
>>> # Node ID 98cb64feddfb89f106f66763462061fd2ca3f412
>>> # Parent  f103b1a2383bc4fba5d28f9732ba832025e3bf00
>>> secure password reset implementation
>> A couple of other things:
>>
>> It should make sure it doesn't go too far with changing passwords when
>> using external authentication (but also not reveal too much information
>>
>> too early). (I guess it would be nice if each authentication module had
>>
>> a customizable "tell the user how to change the password" string...)
> Related to this, ldap users currently (without patch, I haven't checked with) see a password reset link that actually sends a mail but without effect on the password. This is confusing and wrong.

Ok, so it is an independent existing issue in the same area.

/Mads


More information about the kallithea-general mailing list