Hacker News
new
|
past
|
comments
|
ask
|
show
|
jobs
|
submit
login
sneak
on June 14, 2011
|
parent
|
context
|
favorite
| on:
If you develop web apps, don't do this.
Also, that's the core of my argument - the "click here to reset your password" link that is sent, on command, is a link that gives you "complete control over the account" without identity verification (other than your email box).
yread
on June 14, 2011
[–]
You can just make the link go to a page "Do you really want to reset your password?" with a POST form
sneak
on June 14, 2011
|
parent
[–]
It already goes to a "type your new password in twice" POST form. That's not the point.
Join us for
AI Startup School
this June 16-17 in San Francisco!
Guidelines
|
FAQ
|
Lists
|
API
|
Security
|
Legal
|
Apply to YC
|
Contact
Search:
