Password resets - logs?


(PJH) #1

Beyond /admin/email/sent, is there anywhere else to find logs for password reset requests.

We’ve been hit with someone (I’m presuming it’s a single person) sending out reset requests for numerous accounts and wanted to go digging.


(Salman, Freelance Developer) #2

Did you look in the email_logs table? You can filter by email type, user_id, and timestamps.

There should be a rate limit on how many password requests can originate from a given ipaddress.


#3

What if you’re an admin without database access?


(PJH) #4

The only admin interface I have access to is that provided by the web front-end.

And that table doesn’t appear to have anything like ip_requested_from which is what I was after.


#5

There’s a rate limit that really makes sense.


(Salman, Freelance Developer) #6

Especially so when you request a password using a username since someone can easily compile a list of username’s to spam. Requesting an password reset using an email is much harder since that data point isn’t publicly visible, but even that should be rate limited if there are n requests for emails that don’t exist in the system.


(PJH) #7

Well, since I’ve already published this once (sorta - I’ve redacted the usernames as well, one avatar should stand out though):

That’s most of the useful information out of email_logs.


(Salman, Freelance Developer) #8

@codinghorror did mention he never remembers passwords :smile:

What kind of information do you think would be helpful here?

The only thing I could see being useful is the originating ipaddress of the requester, but that doesn’t look like it gets logged:


(PJH) #9

As I thought. To raise a point I made in another thread, this seems to be somewhat common - IP’s don’t appear to be stored per-post either, which would also be useful.


#10

I hope you do not mean an absolute limit…


(Salman, Freelance Developer) #11

It would be a time based rate limit i.e. x password requests per y minute interval.


(PJH) #12

‘Rate limit’ generally implies a time limit … the word ‘rate’ is normally the clue… :wink:


#13

Sorry, missed the “rate” somehow…


(Matches) #14

Password request time based on

  • Same IP Requests
  • Different usernames requested (of valid usernames)
  • Number of responded to keys (token burning from link/successful reset)
  • Time between requests (of valid users)
  • Time between different username requests (of valid users)

In days before another request can be made