I wasn't planning on implementing the annoying multiple "What was the mascot of the first car where your favorite pet's maiden name's favorite sport first met their favorite superhero?" questions.

This is a programming site so we may be able to go with some more high-tech solutions. For example, let you paste a public key to store in your account so you can save your private key whatever places you like with as strong or weak of a pass-phrase as you like and get access to change your password by correctly signing a random challenge message. Though, I'm disappointed at how non-obvious it is which commands to use to sign a message with a private key. So that might not be viable enough, sadly.1

1 I'd love to set up a virtual machine with sshd running on it. The "I forgot my password" page would prep the machine for your account and give you it's current IP address and port number. Just log in to that machine with your user_id as login name using your private key and you'd be prompted to enter your new password. When it comes to things that you can do with a private key, using ssh seems the most widely and easily accessible. :)

I'd also really like to be able to have two e-mails. I've many times experienced losing access to an e-mail account suddenly and unexpectedly (changing jobs is the most common example but I've also had my private e-mail service provider just go out of business suddenly and unexpectedly) or just didn't realize that I was using that old e-mail address. Having a second e-mail address registered greatly reduces the risk of me ending up with no accessible e-mail address when I realize that I need it.

There are two competing concerns about these backups to your account password: 1) Making it possible to get back into your account despite you having forgotten your password (the "experts" tell you to not write it down, after all) and having lost access to other items (and not requiring human administrator intervention), 2) Keeping it hard for somebody to steal your account from you and also possible for you to steal it back.

For example, (2) inspired somebody to suggest that you should be required to enter your (old) password to be able to change your e-mail address. But I think that thwarts a too-common case of (1) (at least for now). Instead, I'd like changing the e-mail to trigger an e-mail to the old address that includes a URL that can be used to regain control of the account for a limited span of time. But that presents a problem after somebody has hijacked your account and changed the e-mail address when you try to regain control and change the e-mail back.

- tye        

In reply to Re^2: Requiring old password in order to change your password by tye
in thread Requiring old password in order to change your password by tye

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.