Tweak to changing of password

[Shrinky]

Specifics:Currently when one changes their password, no email is sent to them to confirm that they really want to change the password. Makes it easy for hackers to render an account useless.

Suggestion: Send a confirmatory mail to email account provided upon sign up and only when user has confirmed that mail, then change password.
Let's say a hacker has hacked into cc account but has not yet hacked into your email account(assuming one is not stupid enough to keep same password for both!), so if hacker changes pw on cc, the confirmation mail gets sent and user will know that someone has hacked into account because he/she will definitely know that he/she did NOT change the pw at any point of time!

This will improve the following aspects of the site: Better account security

[Woodruff]

Specifics:Currently when one changes their password, no email is sent to them to confirm that they really want to change the password. Makes it easy for hackers to render an account useless.

Suggestion: Send a confirmatory mail to email account provided upon sign up and only when user has confirmed that mail, then change password.
Let's say a hacker has hacked into cc account but has not yet hacked into your email account(assuming one is not stupid enough to keep same password for both!), so if hacker changes pw on cc, the confirmation mail gets sent and user will know that someone has hacked into account because he/she will definitely know that he/she did NOT change the pw at any point of time!

This will improve the following aspects of the site: Better account security

If this is the case currently, then this definitely seems like a smart move. Particularly when given the concept of "sitters".

[TheForgivenOne]

I 100% support this

[JoshyBoy]

I fully support this idea. Simple things done well... I like.

[iamkoolerthanu]

This would be a great addition.

[Shrinky]

quick question, how exactly are these suggestions passed on to lack?
Does a suggestion require a minimum number of support from fellow players before it is passed further up the ladder?

[TheForgivenOne]

It's done by our best judgement. If a topic gets quite a bit of support, we will sticky it, and or put it on "Last Call", as seen with Adjacent Attacks and Upping the limit to 12 players

[Shrinky]

ok, thanks

[JoshyBoy]

To be honest this looks like a really basic, simple, and easy suggestion to implement idea. Therefore I am going to "sticky" it and make it a [Last Call] for a couple of days, then should be able to submit it and it should get done no problem.

Cheers, JB

[Rocketry]

Hmm...

What about if someone signs up to CC a work email address or a temporary email address, and then that account becomes invalid for whatever reason (e.g. they leave that job or the temporary email address expires,) and then they want to change their password? The email would go to an address they were unable to access so they could never change their password.

Rocket.

[slowreactor]

Hmm...

What about if someone signs up to CC a work email address or a temporary email address, and then that account becomes invalid for whatever reason (e.g. they leave that job or the temporary email address expires,) and then they want to change their password? The email would go to an address they were unable to access so they could never change their password.

Rocket.

You can change your e-mail address:

Control Panel -> Profile -> Edit Account Settings.
then put in your new e-mail under "E-mail address".

[MrBenn]

How about a simpler suggestion; rather than requiring a confirmation link to be verified before the pw is changed, why not just send an email to the registered email address with the new password?

You should only need to verify a new email address, as that is more of an "identity" change, as opposed to a "security" change

[Dako]

As I previously said, confirmation by email of the password change is unnecessary - you are already confirming a password change by entering previous (current) password. And if the hacker want to change the password he will change an email first.

Confirmation is needed when you are about to make a serious action you are unaware of. How can you be unaware of password change, when you enter it twice (blindfolded by * symbols) and you also enter current password. How many more confirmations do you want?

And I don't think it will be of any protection against hackers.

[Hornet95]

How many times do you change your password, legit or not legit? 1-3 times per year is my guess. For the slight inconvenience of a stray e-mail, I think this would be very helpful. This should be for both password changes and e-mail address changes (sent to both the new and the old e-mail addresses). I think to be helpful, the following information should also be included in the e-mail sent:

IP address of requestor:
Time of request:

And you should be locked out from making any further changes in those two items only for 24 hours.

[Shrinky]

As I previously said, confirmation by email of the password change is unnecessary - you are already confirming a password change by entering previous (current) password. And if the hacker want to change the password he will change an email first.

Confirmation is needed when you are about to make a serious action you are unaware of. How can you be unaware of password change, when you enter it twice (blindfolded by * symbols) and you also enter current password. How many more confirmations do you want?

And I don't think it will be of any protection against hackers.

You got a point there. But let's look at it from the angle of an account sitter now.

IF say one of them suddenly turned rogue, then going by the current method of changing password, account is compromised. But if we go by the new method, then account is not entirely compromised as one more check needs to be done before password is changed.

Agreed that once a hacker is set upon doing something, it's very hard to stop him/her. But not so with a rogue account sitter.

How about a simpler suggestion; rather than requiring a confirmation link to be verified before the pw is changed, why not just send an email to the registered email address with the new password?

You should only need to verify a new email address, as that is more of an "identity" change, as opposed to a "security" change

That sounds good. As email id can also be changed along with password, it would be more useful to send email to registered email id informing of the changes that have taken place.

[Dako]

Simple question. Is your password from CC is the same one as from your email? How many passwords do you have?
[[My answer: not, not the same, and I have 7-9 different passwords lol.]]

And one more thing - sitting is considered as account sharing (thou it is approved as of now) and is a password giveaway - security leak. I am sure when lack implements some kind of sitting interface your password will be yours only.

[BigBallinStalin]

I'm glad you gentlemen are hammering out the details, but I'd like congratulate Shrinky for getting the ball rolling on this tremendous suggestion for the improvement of CC security.

[Rocketry]

Hmm...

What about if someone signs up to CC a work email address or a temporary email address, and then that account becomes invalid for whatever reason (e.g. they leave that job or the temporary email address expires,) and then they want to change their password? The email would go to an address they were unable to access so they could never change their password.

Rocket.

You can change your e-mail address:

Control Panel -> Profile -> Edit Account Settings.
then put in your new e-mail under "E-mail address".

Maybe I'm missing the point... I thought the whole point of this suggestion was that the change password confirmation goes to the original signup email address. If it goes to the email you currently have registered then I guess this wouldnt work... a hacker could just firstly change the hackees (word!) email and then change the password causing the verification to go to the new email they have chosen. I'm not against higher security but I just don't understand why this would help.

Rocket.

[Commander9]

Great idea! If a confirmation email is sent both for email and pw change, it does improve things by quite a bit (not that it's completely safe, but still). I'm in for this one.

[natty dread]

Maybe I'm missing the point... I thought the whole point of this suggestion was that the change password confirmation goes to the original signup email address. If it goes to the email you currently have registered then I guess this wouldnt work... a hacker could just firstly change the hackees (word!) email and then change the password causing the verification to go to the new email they have chosen. I'm not against higher security but I just don't understand why this would help.

Rocket.

Well ofcourse next would be implemented a feature where, when you change your email, it will be sent to your password for verification.

Oh wait...

[Little Witt]

i think this is a good idea but as rocketry said the hacker could just change the e-mail address

then change the password which would be true but what would get ride of that problem might

be that CC sends a code by e-mail and would only send it to you once and that when you sign up, (so you would have to wright it down or something). and the only way you can change your

PW is to type in the code CC sent you and typing in your old and new password, so even if they did change your e-mail address they wouldn't know the code sent to you so there would be no way to change your password with out the code.

Do you think that would work?

LW

[Shrinky]

i think this is a good idea but as rocketry said the hacker could just change the e-mail address

then change the password which would be true but what would get ride of that problem might

be that CC sends a code by e-mail and would only send it to you once and that when you sign up, (so you would have to wright it down or something). and the only way you can change your

PW is to type in the code CC sent you and typing in your old and new password, so even if they did change your e-mail address they wouldn't know the code sent to you so there would be no way to change your password with out the code.

Do you think that would work?

LW

Only thing against this is that it's too much of a bother for ppl to write the code down somewhere and then expect them to be able to find it again a long long time later.
That would just complicate things more for ppl and i dont think they'd like that

[Dako]

I think this issue will not be implemented because it is part of the forum. And if you want to have nice updated of the forums (remember last one - quick reply) to be available - you cannot code the forum yourself. So I am sure this will not be implemented by lackattack. It will be much easier to post on phpBB3 forums and propose it there - but not on CC.

It may be in submitted suggestions, but no one will code it, believe me.

[TheForgivenOne]

Unstickied this