Item10206: Reset Password makes it too easy to reset another user's password

For public Foswiki sites it is too easy to reset the password of other wiki users:

1. In the login screen, click on "I forgot my password"
2. On the Reset Password page, enter anyone's wiki name and click "Reset password"
3. That person now receives an email:

Dear XXX

Login name "XXX" Your password has been changed to "CJ0U35FO".

Please visit http://site.com/System/ChangePassword to change your password to something more memorable for you.

If you have any questions, please contact me@site.com.

Instead, Foswiki should send out a request to change the password, much like the registration confirmation:

1. In the login screen, click on "I forgot my password"
2. On the Reset Password page, enter anyone's wiki name and click "Send request"
3. The email should go along these lines:

Dear XXX

You (or perhaps someone else) has send a request to reset your password.

If this is a valid request, follow up by visiting http://site.com/System/ResetMyPassword?secretcode=XTRDQUWYS

If you have any questions, please contact me@site.com.

1. The user visits that page and clicks "Reset password"
2. In the confirmation screen, the user can change the password to something memorable

-- ArthurClemens - 29 Dec 2010

Commenting is disabled while not logged in