|
|
|
|
|
|
by negativity
4400 days ago
|
|
|
I dunno, it's still pretty debatable, since e-mail isn't guaranteed to be encrypted over the wire, which leaves people open to MITM attacks. So consider a situation where someone receives a password in plain text, and the password never expires and never gets changed by the user. All things considered, a token is a token, so whether the "password" is sent in plaintext, or whether a nonce hex key is provided by e-mail, anything sent by e-mail should have a shelf life, even if it's a relatively long one of like 30 days. Ideally, it should expire in hours or minutes. If they don't get around to it fast enough, you have the user's e-mail, just tell them you need to send them another, because the last one expired. That way, you're forcing a live user to interact with the system, and act quickly, to establish proper authentication credentials. |
|
|