Forgotten Password Throttling

Question

Forgotten Password Throttling

I have a "forgotten password" system that sends an email with a reset link to the user. Question: How can I prevent abuse of this system? How can I make sure that people don’t use it to spam people in boxes, but still use it for people who need it?

+5

php throttling denial-of-service forgot-password

RS7 May 09 '11 at 23:04

source share

5 answers

Request a registered email address, not a username? It is much less likely that the attacker will be known.

Alternatively, specify the TimeOfLastReset field in your users table and update it when you send the email. If CurrentTime-TimeOfLastReset is too small, then do not send.

+4

Dan May 09 '11 at 23:07

source share

1) ( ). 2) reset 3) reset ,

0

user489872 09 '11 23:08

, .

( ), , .

, , . (disply: none) name="message" . , submit.

.

0

PeeHaa 09 '11 23:10

if you used the email address as the username for logging in, this should not be a big problem, as not everyone will know their email and the fact that in order for them to be reset, their email must match database. Therefore, it will be sent only and reset if someone enters a valid letter.

0

robx May 09 '11 at 23:10

source share

jwodder · Accepted Answer · 2011-05-09T23:07:50+0000

When a recovery email is sent, record the time at which it occurred. If during a given time interval (15 minutes? 6 hours? Per day?) There are any additional / too many recovery requests, print a message and do not send an email.

Forgotten Password Throttling

More articles: