lost password hash expire

[michag86]

If a user clicks on "lost password", the hash is stored until he changes it. But if the user remembers his old password, the password hash is valid until his next click on "lost password".

In my case there are about 100 users and the system is running for about a year and there are 10 lostpassword hashes.

If the reset mail with the link is sent unencrypted via smtp, maybe there is an mailadmin that knows the link too.

It would be useful if there is a timestamp generated and stored in oc_preferences as lostpasswordtime. So it would be possible to create an job that cleans up all hashs that are older as x hours (value from config.php).

[LukasReschke]

This is already implemented in 8.2. See db4cb1d and #18491

[michag86]

Oh sorry! I'm still using 8.1.x and searched for an issue before I created this.
Thanks!

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.