Panda Online Account Creation

I need some professional advice……

If I were to create an account for a Panda Web Based Application, which allowed a user to change their password….which of the following would be more apt?

  • The User must log into their account before they can change their password.

  • Allow the User to enter a pin number or Q and A to verity they own the account and then allow them to change their password without logging in.

I kind of like the latter because, if somebody hijacked the User’s Account and changed the password, the User wouldn’t be able to login anyway. By allowing the Real User to verify themselves as the original owner and thus granted password change access, the User can take their account back from the hijacker.

Most sites with accounts only allow password change from within the account, after logging in; which leans more towards the User forgetting their password and can not stop a hijacker that has made it into the account and locked out the User by changing the password.

I can’t find a reason this question is related to Panda3D. You’ll get better answers on security focused forums, I think.

Anyway, Q&A is the same as password, with the only difference the second having an implicit question of “what is your password?”. For hijackers answering a question like “what was your mother’s first name” or “what’s the name of your first pet” is way easier than guessing the password in many cases.
One might even go as far as to say a password is an answer to a question never spoken- or written out, which makes the hijhacking even harder, since you have to guess both the Q and the A.

Have a nice day.