== Empty Lost Password Questions allowed ==

A user reports this security issue on cacert-support:

{{{
When I tried to see what happens if I clicked on Lost Password, I saw I only had to
give my date of birth to change the password. This was because I did not set any of
the validation questions. (I did now btw). 

So if someone has both the birthdate AND e-mail address (which you give if you are
assured for CACert or Thawte) there is a possibility to change the password if the 
alidation questions are not set.

My suggestion: make it mandatory to set the validation questions and/or send a
e-mail ping.

This would increase security. I also discussed this with martijn heemels (also
CACert member) and he also agreed.
}}}

== Comments ==

 * ?? Set status to ''Open, 2005-06-23''
 * Duane set status to ''Closed, 2005-07-22''