UseBB Community

When requesting password we need to enter the username and email adress. I think the script generates a random pw and mails it to the address. But if a user enters this information from another user he can easily change his password. How can we prevent this and make passwod request difficult or can we cancel this option?
Thank you.

This behavior cannot be changed in UseBB 1.

UseBB 2 could send a confirmation link first, eventually allowing the user to set the password. Moved to feature requests.

I don't think that this is major issue. As I know not so many people share their email addresses with other people, when we are talking about forums.

The issue is that you can get anyone's password altered if you know the username and e-mail address.

Do you have to know both the username and the e-mail address in order to change a user's password?

Sorry, I don't have a UseBB installation right now to find the answer to this.

Yes.

even then- if you ask me.. it's still not that bad. so what if the pass changes? the new password will be sent to the _mail_ anyway.

it becomes troublesome if the pwchange can read the mail- but then again.. a lot of people use the same password for everything.

so I wouldn't worry to much about it

You can't get hold of the password, but it may be troublesome when one keeps on resetting other people's password. Also, sending a password via e-mail isn't considered secure.

That's why in 2.0 you will receive a link via email where you will be able to set a new one.