Logic behind forgot password on Sphinn.com website could hurt the site in long run! These are steps to be taken OnSite and explains how important is a small technical part of a website. Not too late now for Sphinn.com, just take some couple of hours in development team and fix the logic. And if you have some sort of same logic in your website, take action right now. Read more for details..
8 Comments
8 Comments
Comments
I have to ask, did you contact them about this before you made your blog post??
This post is very misleading. Passwords are only reset after email verification - if you don’t click the link in the email, your password isn’t reset. We also tell people to change the password as soon as they login with the default password. This was already on our radar, and we will be changing the process of resetting a password. It is not however a security risk.
I agree the passwords are reset only after email verification, I have not written anything about that in post - what I was pointing is that the password is reset to "password" for everyone who does that and not auto generated - I am glad it is in the radar and actions are taken.
@Michelle:Hi, Again, I have not misintrepreted how an activation email is sent and I didn’t question that at all and didn’t go to that topic anywhere. Being a technical person myself - I would not approve a logic that gives a standard password for anyone who resets their password. Assume we have a banking application and if and when a user (and that too any user) resets their password, if the application changes the password to be password - will we agree?
Hm, maybe it is not such a big problem that password is changed to default "password" phrase, but for me wasthe problem where to change the password. They said only to change password when log again, but they don’t say where to click to change it... I’m not new to internet and computers, but despite that, it took me more than 15 minutes to find the way. Try to imagine how much time it would take for an unexperienced person to find it? Or a person who is not so good in english? And try to imagine that during that time someone can succeed to hack somebody’s account.
Misleading information that portrays a security risk.
What evilgreenmonkey said. Misleading post that leaves out a crucial detail about how something actually functions.
If people who reset their password don’t know enough to change it once they login again, especially when it’s something like ’password’ then it’s their own fault if hacked.