Hello, I'd like to discuss about Django's password reset token functionality.
I've been able, with a simple Python script, from having read-only access to my Django webserver to a full read-write by crafting a reset token. Isn't it one of the main goals of hashing passwords ? Protecting from attackers having read only access to the database ? The only "Unpredictable" data that can be needed if the attacker's last database access is old is the last_login, which can be very easily bypassed with a simple script bruteforce (as I did here <https://github.com/belzebalex/django_token_exploit>) I would like to know, is there an other way the password reset mechanism could work that wouldn't enable such problem ? I haven't found one alone. -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/96fd4144-450e-4d9a-ab7d-eb308339056c%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
