password reset should only allow one token to be requested per ip

RESOLVED WONTFIX

Status

()

Bugzilla
User Accounts
P5
enhancement
RESOLVED WONTFIX
9 years ago
9 years ago

People

(Reporter: timeless, Unassigned)

Tracking

Details

(Reporter)

Description

9 years ago
i've heard reports that someone requested a number of password resets (possibly against all things that vaguely resembled accounts on a page or something).

i think that we should implement this policy:

IP address requests reset
  create_token(IP)
  add_listed(IP, token)
IP logs in
  remove_listed(IP)
Token used
  remove_listed_by_token(token)
Reset form triggered
  if get_token_for_ip(IP) and token_is_not_expired(token)
    complain()

This means that if someone creates a token and it's used, then they can reset another account. It also means that if someone tries to reset an account from a computer, and someone else logs in from that computer, we will allow future resets from that ip. However, for the duration of the token, the ip address will not be allowed to request a reset.

Updated

9 years ago
Priority: -- → P5

Comment 1

9 years ago
When you share the same IP between several users, your policy won't work, for two reasons:
1. If another user sharing this IP logs in, existing tokens are removed, making it too easy to request another password.
2. If two users sharing the same IP both need a new password, one of them will be blocked.
I'm using a proxy at my univ (more than 100,000 pcs behind) to access bmo, in such environment this enhancement request might occur problems..
I propose INVALID for this.. :-)

Comment 3

9 years ago
So there is an agreement to not implement this policy (mkanat's P5 implicitly means WONTFIX).
Status: UNCONFIRMED → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.