I think the lost password feature should be improved even further. My website was recently attacked by someone trying to gain access to accounts on it. One of their methods was to spam-use the lost password feature, which resulted in many of my members receiving several password reset links. And this was not a bot either from my analysis using smartlook... this was a real person doing it... so CAPTCHA would not have stopped them.

Perhaps lost password can only be used for one account per IP per (insert amount of time here). And if an account has already had a password reset used, prevent another password reset from being sent to the same person until/unless the previous reset link had expired. This should be optional though, because some people may desire to allow the lost password to send multiple reset links if, say, someone's reset link never made it to them. The messages given to users using the feature should be clear if a limit is in place that they must wait X time before using the lost password feature again.

I'm not sure what you could do though.

My fiancee recently had this happen on amazon.com, so even Amazon don't know how to solve the problem.

You can't try and put a limit on particular IPs or sessions, as they could use a cookieless TOR browser.

Amazon is quite a humongous site, I reckon most Composr communities are small to medium, so perhaps adding the password requests into the staff validation queue initially could be an option. That way members don't get spammed and the staff can check the IP etc before sending the reset email. Just an idea. I would rather wait for staff action than have my account compromised.

That's an interesting approach.

It was mainly an idea to stop the system spamming reset emails. Given the validation queue exists it might as well be used to let an admin or staff determine if the request seems legitimate before allowing an email to be sent (rather than however many were initiated). Humans are more useful than robot overlords made of code, sometimes. And we have the audit trails and logs to help us. Might be a useful option for sites under attack, doesn't have to be on all the time or at all.

Don't some sites send an email asking if you requested for your password to be reset? then the member has to click a link to confirm or deny that they made this request. I imagine a denial would lead the requesting IP to end up on the ban list automatically. Maybe an email like that could be sent by the staff if they are unsure, the normal reset email if they are sure, and no email if they believe it was a hack attempt with an option to place the requesting IP on the ban list.

Good ideas.

I'm implementing this now, but just my initial proposal.

I do like your ideas on some level guys and want to thank you. But I also think on another level they are either overkill or impractical. I don't think someone's going to sit there solving CAPTCHAs repeatedly to do such low grade spam. And if somehow they are trying to do a hack, then certainly they could use TOR browser, so IP restrictions won't help. We could put a reset-timelimit on it, but I don't see what difference that'd make either - if one reset goes through and the hacker has access to their e-mail, job done. All extra restrictions would add bloat/complexity to the product, for no again in my opinion. We have to keep things as streamlined by making sure all our features are very justifable.