Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I am implementing forgot password feature for my website, and while looking at other websites for best practices, I found that gmail enforces this, no other site I looked at enforced this constraint.
There is a lot of rather out-dated ideas about passwords and password security.
If a user has a password compromised — and then however many days later they change it — the attacker is now blocked from the system.
Should that user ever go back and re-use his old password, then the hacker might decide to retry that account/password and regain entry into the system.
Of course, it opens up a whole new set of problems. Make it so a user can’t remember his password and they will start writing them on sticky notes taped to their monitor.
Personally? On all the sites I’ve worked on, I’ve never thought it important to add password expiration /or/ limits on what passwords may be (re)-used.