New 'Forgot your password' feature
I've changed what BookMooch does when you forget your password. Previously, it was possible to try and try and try again, to type an endless number of password attempts, until you finally got it right. As of today, if you get can't enter your password correctly after 4 attempts, you're redirected to a page that looks like this: the reasons for this change are: 1) to help people get their password to them, if they've forgotten it 2) to give people common advice about why they can't get into the account (ie, the CAPS LOCK key is on) 3) to prevent someone malicious from trying millions of common passwords until they find one that works. I've been following the story of the hacked passwords from Sony, and how the most common password is "Seinfeld." Until today, you theoretically could have written a program to try millions of common passwords against BookMooch accounts, and I'm sure that if you tried hard enough, you'd find lots of BookMooch accounts that use common passwords. Now, before you worry, we've never, ever had a report of anyone doing this, nor of anyone stealing someone else's account. Also, I watch the BookMooch server pretty closely, so I would have noticed that something was up. However, I thought it would be wise to play it safe, and put a mechanism in place to prevent this sort of thing for the future. Note that if you mistype your password 4 times, your account is automatically locked for one hour, though you can immediately unlock it if you fill out the "robot detection" form that's presented to you (ie, in the picture above). Anyhow, this shouldn't effect most of you, it's just something I've been meaning to do for a while. -john
|