buzzaz
commented
9 years ago Really appreciatibg you Robert. Agreed. Seconded.
AZ Zaidi www.AbbasZaidi.com 415.966.9800 on PST. "An organism coordinates a point of view." ~Terrence McKenna On Jul 28, 2015 11:03 PM, "Robert C. Sheets" notifications@github.com wrote:
Immediately resetting the user's password creates an opportunity for a denial of service attack wherein the attacker repeatedly resets the user's password. Instead, passwords should only be changed after the user takes some action, such as clicking an emailed link.
We are especially vulnerable to this since we publish a list of users.
— Reply to this email directly or view it on GitHub https://github.com/sudoroom/sudo-humans/issues/29.
Immediately resetting the user's password creates an opportunity for a denial of service attack wherein the attacker repeatedly resets the user's password. Instead, passwords should only be changed after the user takes some action, such as clicking an emailed link.
We are especially vulnerable to this since we publish a list of users.