Accept existing password during password change?

Question

Accept existing password during password change?

Closed this issue 7 years ago · 1 comments

Changing passwords is done on the profile page. To get to it, you need to be signed in, which means you have a token. So we really don't need their current password. This is the approach in place now but only because my first attempts at comparing the hashes of the existing password and the one in the database were not successful.

I'm pretty sure the best practice is to always ask for the existing password when changing passwords so someone can't be locked out of their account when they step away from their computer.

This issue is to remind me to add the "Current password" to the change password session of the profile.

Answer 1 · 2017-09-02T22:23:42.000Z

I don't know why, but in my first attempts at this I was tryig to compare the hash buffers instead of just using the verify function in server/auth/hash.js. The current password is now required when changing passwords.