i've heard reports that someone requested a number of password resets (possibly against all things that vaguely resembled accounts on a page or something). i think that we should implement this policy: IP address requests reset create_token(IP) add_listed(IP, token) IP logs in remove_listed(IP) Token used remove_listed_by_token(token) Reset form triggered if get_token_for_ip(IP) and token_is_not_expired(token) complain() This means that if someone creates a token and it's used, then they can reset another account. It also means that if someone tries to reset an account from a computer, and someone else logs in from that computer, we will allow future resets from that ip. However, for the duration of the token, the ip address will not be allowed to request a reset.
When you share the same IP between several users, your policy won't work, for two reasons: 1. If another user sharing this IP logs in, existing tokens are removed, making it too easy to request another password. 2. If two users sharing the same IP both need a new password, one of them will be blocked.
I'm using a proxy at my univ (more than 100,000 pcs behind) to access bmo, in such environment this enhancement request might occur problems.. I propose INVALID for this.. :-)
So there is an agreement to not implement this policy (mkanat's P5 implicitly means WONTFIX).