|
|
|
|
|
|
by brightball
4002 days ago
|
|
|
If they're going to have cancel password change requests they also have to have cancel change of alternative email requests. That's the first thing a hacker changes. Additionally, you have to track every change with a timestamp so that you can invalid everything that came AFTER the change you just reset. That will prevent a hacker from being able to screw with the account because the original email address will also be able to cancel future changes, no matter how many times the perpetrator did it. |
|
|