Hacker News new | past | comments | ask | show | jobs | submit login

What is a better method? I'm not disagreeing with you. I am encouraging you to share better ideas.



A better method is to send a special link to a user who requested to reset their password. After clicking on that link they can change it and log-in. That makes it such that the user is the only one that can trigger the reset.

The worst a third party can do is trigger an email (simply note in the email that if you did not request the email to ignore it and that your account is still safe).

This is a common technique.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: