When creating an account don't email the password

AlenPelin / FridayCore

FridayCore is a set of Sitecore extensions that every Sitecore site needs.

MIT License

4 stars 1 forks source link

When creating an account don't email the password #11

Open mawiseman opened 6 years ago

mawiseman commented 6 years ago

I think it would be better practice (and probably more secure) to send a link with userid and expiration date via jwt and force the user to choose their own password

https://jwt.io/

This would mean

admin passwords are floating around in emails
the user only had a limited time to action the email

AlenPelin commented 6 years ago

Thanks @mawiseman for valid point, which indeed makes sense to implement. It is however much more complex solution than current one, and therefore is way more risky to introduce even bigger vulnerability.

In fact, it will also require to replace password recovery mechanism on Sitecore login page because SignUpRules relies on it.