Open allain opened 11 years ago
@allain sorry for the long delay, we certainly should do a more sophisticated implementation as the one you suggest. Similar to signing up users that does not have an email confirmation routine at the moment.
If you'd like to contribute on that, please go ahead, we're very happy to support! Otherwise we'll get back on this one asap ourselves.
If I know your username, I can lock you out by creating a password reset request.
Yes, you'll get the email, but I can just keep requesting it. Why? Because you've insulted my family, and I'm a jerk.
I think the password reset should work a little differently to stop me from doing this: