Idea Details

Improved security for passwords in emails

Last activity 12-17-2016 10:25 AM
Anon Anon's profile image
10-09-2015 09:59 AM

In order to initialize a password for first time or reset a password, a link with a One Time Password (OTP) with a high level of entropy should be sent rather the current functionality where the new password is sent in clear text via email.

 

The OTP must have a short lifetime (e.g. 10 minutes). If the user does not reset his password within the OTP lifetime, the OTP must be invalidated and the user must start the password reset process once again.