Better option for password resetting #501
Assignees
Labels
Comments
|
OWASP has a fine resource of the best strategies to reset the password (for reference). |
alexlittle
added
the
good-first-issue
|
This might be a good start: https://django-password-reset.readthedocs.io/en/latest/index.html (also: https://github.com/brutasse/django-password-reset for the code). Doesn;t do everything (like security questions etc) but likely good enough for now (and better than what we currently do) |
|
Use the built in django auth method for doing this |
alexlittle
changed the title
|
transferred to OPPIA-42 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently the password reset works by resetting the password immediately to a new random 8-char string and emailing this to the user. So even if they then remember the old password it won't work.
A better option would be for this to function as many other sites do for password resetting, so a (time limited) link is sent by email to reset the password and forces the user to enter a new password (removing the 'temp password' as now), but in the meantime they can still use their original password if they remember it.
Very likely there will be django plugins that will handle this - just needs some investigation and testing as to the best option
The text was updated successfully, but these errors were encountered: