I need some professional advice……
If I were to create an account for a Panda Web Based Application, which allowed a user to change their password….which of the following would be more apt?
The User must log into their account before they can change their password.
Allow the User to enter a pin number or Q and A to verity they own the account and then allow them to change their password without logging in.
I kind of like the latter because, if somebody hijacked the User’s Account and changed the password, the User wouldn’t be able to login anyway. By allowing the Real User to verify themselves as the original owner and thus granted password change access, the User can take their account back from the hijacker.
Most sites with accounts only allow password change from within the account, after logging in; which leans more towards the User forgetting their password and can not stop a hijacker that has made it into the account and locked out the User by changing the password.