[OPEN-ILS-GENERAL] Password reset uses phone number fails: EG2.2
Bob Wicksall
bwicksall at pls-net.org
Fri Aug 3 09:45:53 EDT 2012
<Snip>
> Because resetting someone's password to something that is basically
> public information, their phone number, is asking for accounts to be
> hijacked.
If that is the case you could argue that the setting shouldn't exist in the first place. What is worse? A database full of users who have never changed their password from the default phone number or a few manually reset passwords?
Bob Wicksall
Systems Administrator
Pioneer Library System
2557 State Rt. 21
Canandaigua, New York 14424
----- Original Message -----
> From: "Jason Stephenson" <jstephenson at mvlc.org>
> To: open-ils-general at list.georgialibraries.org
> Sent: Friday, August 3, 2012 9:27:00 AM
> Subject: Re: [OPEN-ILS-GENERAL] Password reset uses phone number fails: EG2.2
>
> Quoting Thomas Berezansky <tsbere at mvlc.org>:
>
> > All future resets would still be random.
>
> Because resetting someone's password to something that is basically
> public information, their phone number, is asking for accounts to be
> hijacked.
>
>
> --
> Jason Stephenson
> Assistant Director for Technology Services
> Merrimack Valley Library Consortium
> Chief Bug Wrangler, Evergreen ILS
>
More information about the Open-ils-general
mailing list