1 vote Vote

Client-Side Password Resets

The current Password Alert server is extremely complicated to setup and heavily tied to Google Apps because it invokes password resets from the server.

Google is currently working on a hosted version of the Password Alert server, which I assume requires a rework of the permission model, almost all of the difficulty could be removed by simply having the client force reset it's own password.

At the time of a phishing attack, we have a candidate username & password, so we should be able to login as the user for whom we have credentials, and then change their password to a randomly generated one, and then present a UI to the user with their new password.

The main advantage of this is that it would work for any site, Google or otherwise.

kuza55, 29.11.2015, 02:17
Idea status: under consideration


Leave a comment