Change Details

As a user, I should be able to use the Password Reset feature as a Passwordless Login System. **Use Case** User does not want to remember passwords or record passwords anywhere. On sites that have a simple "Forgot Password" feature (like MediaWiki sites), user can get a new password emailed to them everytime they want to login. This is significantly more secure than using a simple password and is easier (or possibly more secure) than using most password managers. **Problem** When requesting a new password within a 24 hour period, you get this error: > A password reset email has already been sent, within the last 24 hours. To prevent abuse, only one password reset email will be sent per 24 hours. What kind of abuse is this preventing? And is the abuse worse than preventing a legitimate user workflow?

As a user, I should be able to use the Password Reset feature as a Passwordless Login System. **Use Case** User does not want to remember passwords or record passwords anywhere. On sites that have a simple "Forgot Password" feature (like MediaWiki sites), user can get a new password emailed to them everytime they want to login. This is significantly more secure than using a simple password and is easier (or possibly more secure) than using most password managers. **Problem** When requesting a new password within a 24 hour period, you get this error: > A password reset email has already been sent, within the last 24 hours. To prevent abuse, only one password reset email will be sent per 24 hours. What kind of abuse is this preventing? And is the abuse worse than preventing a legitimate user workflow? **Solution** Remove the throttle. Or at a minimum, increase it substantially (maybe once an hour? or every 5 minutes?)

As a user, I should be able to use the Password Reset feature as a Passwordless Login System. **Use Case** User does not want to remember passwords or record passwords anywhere. On sites that have a simple "Forgot Password" feature (like MediaWiki sites), user can get a new password emailed to them everytime they want to login. This is significantly more secure than using a simple password and is easier (or possibly more secure) than using most password managers. **Problem** When requesting a new password within a 24 hour period, you get this error: > A password reset email has already been sent, within the last 24 hours. To prevent abuse, only one password reset email will be sent per 24 hours. What kind of abuse is this preventing? And is the abuse worse than preventing a legitimate user workflow? **Solution** Remove the throttle. Or at a minimum, increase it substantially (maybe once an hour? or every 5 minutes?)