Password Reset Feature

[GoogleCodeExporter]

We should probably build a password reset feature. This was highly 
requested by the users last time around.

This could be a form that is visible to non-logged-in users. They fill in 
their username and the email address they used to create the account. If 
their account is activated and the email matches the username, fire them an 
email explaining that there has been a password reset request. In the 
email, there would be a link that they can click to reset their password.

This feature is very similar to the account activation process, which you 
can see in register.php, check_registration.php, and 
account_activation.php.

Security is a huge issue with this feature. We need to be extremely careful 
that this feature doesn't accidentally make it computationally feasible for 
a clever attacker to steal a person's account. We need to be really 
careful. Before this feature is publicly launched, we need to have a few 
people look at it, think about it, think of all the ways it could be 
attacked, and then okay it.

Original issue reported on code.google.com by cameron.jp@gmail.com on 22 May 2010 at 9:54

[GoogleCodeExporter]

Original comment by cameron.jp@gmail.com on 22 May 2010 at 10:24

• Changed state: New

[GoogleCodeExporter]

Original comment by cameron.jp@gmail.com on 5 Sep 2010 at 5:50

• Added labels: Priority-Low
• Removed labels: Priority-Medium

[GoogleCodeExporter]

branch /branches/issue5_password_reset implements the feature.

Original comment by ademar.g...@gmail.com on 14 Sep 2010 at 12:24

• Changed state: Started