Make password retrieval secure

Jan 16, 2014 at 3:50 PM
Currently, as long as you enter a correct email, your password will be reset and be emailed to your email. What if someone knows my email and keeps resetting my password? I think the system should first send a password reset link to the email address, then if the user clicks the link then reset the password.
Feb 13, 2014 at 4:46 PM
Dear BlogEngine.NET devloper(s),

Did you read this post of mine? What is your thought on this issue? Thanks.
Feb 13, 2014 at 6:04 PM
Yes, looks like legitimate concern. Just a matter of priority, but we'll need to address this.