Change password reset workflow

[kenwalker]

At the moment, when you (or anyone really with your ORK name) requests a password change, it happens immediately and the new password is sent to you. So you could essentially have other people trying to reset your password over and over. It might be beneficial to match current methods where within the email the link triggers the start of the password change process and then you get a new password. So if someone has done that in error or maliciously, your old password still works, you don't click the link in the email?

[esdraelon]

Password reset creates a new temporary credential in parallel to your primary credential that can be used to log into your account. That credential only last a day (maybe 3, I can't remember), and does not overwrite any other existing credentials. So, you could hammer the reset a bunch of times, and all of the reset credentials would work for their limited time, in addition to whatever permanent credential also existed.

[kenwalker]

Ok, so the net effect is the same as other workflows in that you can still use your old password even if someone is spamming your account with password resets. You just ignore them and move on. If that's the case I'll close this issue. Thanks much for the explanation.

[esdraelon]

Yes, that's correct. The authorizations are stored in a double-blind tank that relies on an SHA512 has of your account salt and password. Technically, there is a risk of collisions and information leaking, but I think the risk is low compared to the value of the data. The reset password feature just makes new entries in the tank using your account salt that expire eventually.