Password change doesn't require old password

Issue #4405 wontfix
Jonathan Smith
created an issue

Changing the password doesn't require the user also enter their old password. This means that it is possible to change someone's password if they happen to have left their BB account logged in without knowing their old password.

Comments (5)

  1. Dylan Etkin

    Hi Jonathan,

    We have done this on purpose so that we can better support open id and other alternate means of creating a bitbucket account.

    We feel that if a user has browser access to your account they can do an unlimited amount of harm, password change being the least of it.



  2. Log in to comment