Follow along with the video below to see how to install our site as a web app on your home screen.
Note: This feature may not be available in some browsers.
Normal
Not necessarily. A malicious user can theoretically request a password for the victim, as long as they know the victim's email address, even though they don't control the victim's email account. In doing so repeatedly, the victim's inbox can be flooded with 100s or 1000s of unwanted password-reset mails. Meanwhile the forum now gets blamed for spamming victim, rather than the attacker receiving blame. This is similar to a mail server acting as an open relay.Password resets should be both throttled (x seconds between requests), and rate limited (maximum x requests per x minutes), probably by both originating IP and per account. This would not stop a victim who actually wants to reset their password at the same time their account is being targeted in this way, since the victim actually received the emails that were rate limited.
Not necessarily. A malicious user can theoretically request a password for the victim, as long as they know the victim's email address, even though they don't control the victim's email account. In doing so repeatedly, the victim's inbox can be flooded with 100s or 1000s of unwanted password-reset mails. Meanwhile the forum now gets blamed for spamming victim, rather than the attacker receiving blame. This is similar to a mail server acting as an open relay.
Password resets should be both throttled (x seconds between requests), and rate limited (maximum x requests per x minutes), probably by both originating IP and per account. This would not stop a victim who actually wants to reset their password at the same time their account is being targeted in this way, since the victim actually received the emails that were rate limited.
We use essential cookies to make this site work, and optional cookies to enhance your experience.
See further information and configure your preferences
