> Using password reset links instead changes very little. Actually it changes a ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		__david__ on June 22, 2014 \| parent \| context \| favorite \| on: Passwords in plain text > Using password reset links instead changes very little. Actually it changes a lot. Password reset links are one time only, and they get sent before you change your password. Mailing your password in plaintext after you've just changed it means it's good even if someone gets a hold of it months or years later. That's significantly worse.

joesb on June 22, 2014 [–]

Password can be one time password, too. Require user to change their password the first they login is not an advance feature.

__david__ on June 22, 2014 | [–]

Of course they can be, but that's not what we're talking about here. Please read the ancestor comments.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact