Yesterday I came from my college, started my Laptop and opened my site. Oooo so many new activities! Started scrolling down to see what else it there! Nice, Nice, Nice .... what the hell is this? Who posted this?
Let me Delete it fast. Login > Username: xyz, Password: xxxxx > Enter
Error!
Your username or password was incorrect. Please try again.
Username is correct, password: (carefully typing) > Enter
Error!
Your username or password was incorrect. Please try again.
Third time. Everything carefully > Enter
Error!
Your username or password was incorrect. Please try again.
Ooo, maybe I have forgotten the password. Clicked on Forgot password > My email > Enter.
Opened my Email account, two email for the password change??
The second one is recent one and the first one is?? 4 hours ago!!
I logged in to my site using the new password. Deleted the post. Checked other items and went to Facebook!!
A long time on Facebook and then food and then sleep!
Aaah, today is Sunday!! Let me see my website for any updates. http://...... > Enter
What the hell, my site is flooded the same type of content which I had deleted yesterday and by the same user. Now I will ban the user!
Login > Username: xyz, Password: (The new password I got yesterday) > Enter
Error!
Your username or password was incorrect. Please try again.
WTF! WTF! WTF!
I logged into my Email account. WTF, there is a password change request!
Someone is changing my password day by day without my knowledge!
Who the hell is this??
I started searching for the people who know my email and about my site. Found several people who know my email but don't know about my site.
Found many people who know about my site but not my email.
But then suddenly!!!
>Recommended Hosting Providers List Update
>DolphinPro 7.3 [Scooter] Released. And it's awesome!
>Could you send us your photo? And a few lines on what you think about us?
Caught on the action! Person who know my email and my site too!! Andrew Boon!
So, who is changing my password? Did you Andrew Boon??
This is a satire on Forgot password procedure of Boonex Dolphin site!!
Even after repeated complaints, Boonex team repeatedly overlooked the current forgot password working procedure where any user can change anyone password if they know their email. There is no confirmation about the password change request, it gets instantly changed without the knowledge of the user. The same thing happens here on Boonex site too!
It should not be like that. If a user requests password change then he should receive a link which upon clicking return to the page where they can set the password of their choice or the new password generated should only be valid if the user confirms it by clicking on the link.
Thanks to Denre - https://www.boonex.com/m/advanced-password-forgot who is saving almost all the Boonex Dolphin powered site from evil eyes!
Even he told he can give that to Boonex if they want. But why do they want? They have the better procedure! Anyone can change anyone password!!
Hope this post will somehow change Boonex team thinking about password security and do something to solve this critical issue!