Lost Password system (5 posts)

  1. Jamiethecomic
    Posted 4 years ago #

    A good friend of mine pointed out and spammed me to prove his point that if anyone losses their password they have the option to enter their e-mail address or username.

    By simply copying and pasting my username he spammed me and I received 20 e-mails about "me" requesting my password.

    Is it possible I could change it so it only requires an e-mail address to recover a password?

  2. peter achutha
    Posted 4 years ago #

    One option is to use an email address your friend does not know about. The other option is to install a CAPTCHA based login plugin so that your friend has more work trying to spam you. And please don't call him a friend if he is spamming you.

  3. Jamiethecomic
    Posted 4 years ago #

    Oh no he's cool, he was just seeing if I had a limit set up.

    It's not the e-mail that's the problem, its the username.

    He doesn't know my e-mail address but my username and my community's is exposed and anyone can exploit it.

    Can I set it up so it can only work to use their e-mail as a way to identify?

    But in the mean time I will look for a CAPTCHA plugin.

    Thanks! :D

  4. peter achutha
    Posted 4 years ago #

    The lost password is there for people who have genuinely lost their password. I don't know if anything that can be done ... yet. There is a login plugin (I forget which one) that blocks you after the third attempt.

  5. s_ha_dum
    Posted 4 years ago #

    I've been thinking about this since I first saw your post, and I don't think I'd really consider it an exploit. The behavior you describe is really pretty useless for a hacker. There is no payoff. There is no reason to do what your friend did except as a prank. But there might be plugins that make that prank more difficult.

Topic Closed

This topic has been closed to new replies.

About this Topic