Timeline for Should admin users confirm their password before changing a user password?
Current License: CC BY-SA 4.0
4 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Oct 26, 2018 at 10:38 | vote | accept | Robin Salih | ||
| Oct 24, 2018 at 12:09 | comment | added | Conor Mancone | You're correct that if you mitigate XSS well then you don't have to worry, but saying that is not especially helpful without talking through what that actually means. In particular, the only way (I can think of) to stop an XSS from taking advantage of a "set password" page is by requiring the user to enter their password on that page. As a result, I think you've missed the crux of the question. | |
| Oct 24, 2018 at 12:07 | comment | added | Conor Mancone | Resetting a password is a different action than changing a password, and when changing a password it is a common use case (and a good call IMO) to ask the user to verify their password. This is intended to make sure that an attacker with temporary access to their account can't change the password, gaining permanent access and locking out the owner. | |
| Oct 23, 2018 at 17:00 | history | answered | odo | CC BY-SA 4.0 |