reset password functionality exposes users to denial of service.
Anyone can reset the password of a known user name.
We should add a challenge, security question.
OR
A 2 step reset procedure via email. Don't reset password until a tokenized link
is visited via emailed link.
OR
leave the current password working along with the reset password in case it was
unintentional. This is kludgy though.
Original issue reported on code.google.com by tablatronics on 23 Jul 2012 at 2:46
Original issue reported on code.google.com by
tablatronicson 23 Jul 2012 at 2:46