Uploaded image for project: 'Confluence Server'
  1. Confluence Server
  2. CONFSERVER-9818

"Forgot password" function allows easy misuse

    XMLWordPrintable

    Details

    • Feedback Policy:
      We collect Confluence feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see An updated workflow for server feature suggestions.

      Description

      The "Forgot password" function invents a new password and sends it by email.

      This invites to misuse as guessing the userid already allows to annoy or even lock-out the legitimate account owner. (The user may currently not have access to his email account or the mail could be killed by a spam filter.)

      Possible solutions could be that the old password remains valid until changed by the user himself, or a new password is only generated when the user acknowleges having received the email.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                4 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Last commented:
                  7 years, 43 weeks, 5 days ago