<== Update Notes

Change Password

When each member first requests access to the member's area they are sent an email with a link to obtain a generated password. This link expires after two hours after which another request for a password would need to be made so if the person keeps the email it will not cause any security risk.

As this generated password may be difficult for them to remember they can use the Change Password page to change their password to whatever they want provided that it contains at least six characters. To make it easier to do this there is a link on the page where the generated password is displayed to allow the member to log in using that password without needing to retype it.

There is a link at the top of the page when each member first logs in to allow the member to change their password without needing to retype the one they just used to log in. Once they move off the initial page the member must re-enter their old password in order to change it. This is to prevent someone else being able to change their password if they accidentally leave their computer unattended while logged on.

The new password must be entered twice to make sure that it wasn't mistyped (since the passwords only display asterisks on the screen).

the change password screen when not accessed immediately after logging in

This page is only accessible with respect to changing the password for the member who is actually signed in. Passwords are stored in the database in an encrypted format which should be extremely difficult to crack (certainly requiring many times more effort than the membership data that such a crack would expose would be worth). Due to this encryption the only person who can know a given password is the member to whom the password belongs. The only way to regain access if the password is forgotten is to use the lost password form on the login screen to generate a new password. The link to obtain a new password is emailed to the email address belonging to that member and should therefore be difficult for anyone else to intercept. While it is theoretically possible for someone to intercept the email and gain access to someone's account that way it is extremely unlikely as the information that doing so would give them access to would not be worth the effort required to obtain the access that way.

The worst that can happen with this approach is that someone who knows both the membership number and email address of a member can send the member a password reset email. As the member is not trying to reset their password they simply ignore that email.

Main Publication ==>