|
|
|
|
|
|
by bigiain
283 days ago
|
|
|
Especially since that email address presumably is used for the forgot password authentication anyway. But it is at least the equivalent of a code smell. perhaps a "UX smell"? A couple of obvious ways it can go bad: An attacker could potentially have access your email (perhaps from a data breach elsewhere or a password stuffing attach) and use the temp password before you do. If the temp password is the one entered by the user during signup, a naive user could sign up using their commonly-reused-password which then sits in cleartext foreven in their email archive. |
|
|