Resetting a password
BlaB! WS does not send any email messages. Automated email messages to reset a password or activate an account are unreliable and very often undelivered due to spam filters. BlaB! WS deals with this in a different way. There is a couple of combinations associated with user accounts - Username-Password and Email-RecoveryQuestion-RecoveryAnswer. Users knowing the current password are allowed to reset it. However, the Email can only be changed with a correct RecoveryAnswer. A forgotten password is reset in this way:
- The user is asked to enter their Email
- If the entered email exists in the database the user is asked to answer RecoveryQuestion
- Only if RecoveryAnswer is correct, the password is replaced in the database with a new temporary password which is presented to the user.
It's unlikely someone to know or guess both - Password and RecoveryAnswer in order to take full control on someone else's account. Brute-force attacks are not possible - BlaB! WS would accept up to 5 attempts per hour. Both Password and RecoveryAnswer are hashed in the database with salted sha256.