0 Replies Latest reply: Jun 14, 2013 7:11 AM by SliderFighter RSS

    Sling Account Password Reset Flow

    SliderFighter

      Dear Sling,

       

      Your Sling Account Password Reset flow is fundamentally BAD.  Here's why:

       

      1. Anyone with a Sling Account holder's email address can lock the account owner out simply by entering the owner's email address in the "Forgot Password field" and clicking "Reset"; ie., the email verification needs to happen BEFORE the password is actually reset, not after.  The way it is now, it is waaaaaay too easy for random jerks to mess with legitimate users.
      2. CAPTCHA - There's only a handful of strings that come up.  Ridiculously easy to crack.  There's pleanty of free code out there that does a much better job.
      3. Verification Strings - There's only one of three words and a three-digit code emailed to the user every time.  This means there's only 6000 possible combinations (word/number, number/word).  Again, highly vulnerable.

       

      Please fix this?