Resetting a password

BlaB! AX does not send any email messages. Automated email messages to reset a password or activate an account are unreliable and very often undelivered due to spam filters. BlaB! AX deals with this in a different way. There is a couple of combinations associated with user accounts - Username-Password and Email-RecoveryQuestion-RecoveryAnswer. Users knowing the current password are allowed to reset it. However, the Email can only be changed with a correct RecoveryAnswer. A forgotten password is reset in this way:

It's unlikely someone to know or guess both - Password and RecoveryAnswer in order to take full control on someone else's account. Brute-force attacks are not possible - BlaB! AX would accept up to 5 attempts per hour. Both Password and RecoveryAnswer are hashed in the database with salted sha256.


Page updated: 2020-09-04