Topic on Project:Support desk

Password reset attacks

3 comments 10:52, 30 April 2016 7 years ago
3
VictorPorton (talkcontribs)

I have switched my site to HTTPS, but somebody may intercept password reset email which is not ciphered.

How to protect my site against password reset attacks?

20:49, 20 April 2016 8 years ago
87.123.27.219 (talkcontribs)

If I got it right, then the password reset mail contains not only a link to a wiki page, on which you can reset the password, but it in fact contains the new password.

First, I think this password only has a limited validity. And second, if you wanted to exploit this situation, then you would have to be able to read the according network traffic. I think that brings it down to internet service providers, government agencies and to select people in your local network. <s>And the existence of the possibility that this _can_ be done does not necessarily mean that it also _will_ be done.</s> If this kind of abuse is possible, then I think it is only a question of time, until someone abuses it.

21:31, 20 April 2016 8 years ago
Ciencia Al Poder (talkcontribs)

As explained on IRC, you need to ensure your connection to the SMTP server is encrypted, that requires TLS support for the SMTP server

09:39, 21 April 2016 8 years ago
Retrieved from "https://www.mediawiki.org/wiki/Topic:T2h7k9jhetjfsjmj"