Password changes - Current implementation doesn't require the old password
Password resets - There is no user based "I forgot my password"
Password resets by an admin
We also may want an account lock out / throttle. After ten bad passwords, have a thirty second delay between the latest request. Clear this field when a user successfully logs in.
Need to address three issues:
We also may want an account lock out / throttle. After ten bad passwords, have a thirty second delay between the latest request. Clear this field when a user successfully logs in.