(03-06-2017, 07:41 AM)Narf Wrote: (03-06-2017, 07:14 AM)ajturner Wrote: 2. PaulD, Narf summed it up pretty well with his response about the example.
I didn't sum up anything. I only demonstrated that PaulD's example was a bad one.
Please note that I started my reply to him with agreeing on principle, and then disagreeing explicitly on the particular example he gave.
I wasn't disagreeing eitherĀ
In fact, he does raise a potential problem that should be looked at for possible solutions. I personally don't think it'll become bloated, like he suggests, but I may be proven wrong as the project moves forward.
Bear in mind, I didn't list a specific method for password recovery, other than saying password recovery needs to be a part of it. The actual method is to be determined (whether we send the man email with temporary password or a link, etc). But with that brings up additional concerns such as the security of sending reset links through email. This is why I also mentioned two-factor authentication as a possibility.
------
Again, these comments are helping me narrow down what I need to be focusing on. I'm taking notes as I read through them. Keep them coming!