Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I want to implement a reset password feature in case users lose their passwords. But I’m worried about someone being able to make a lot of these requests for a single or multiple email addresses that don’t belong to him, which would be annoying for the actual owners of those addresses, and I would end up blacklisted.
What can I do to secure this feature against that? Set a limit of valid emails sent per ip? (3 emails max would be fine I guess)
Why not simply add a CAPTCHA to the password reset request form? You could then limit the number of requests per email address and per day/week/month, but a CAPTCHA would keep bots away.