Hmm... I need to find out myself. I don't know what is the answer to your question. I'll do some research in Google and get back to you if I got an answer. You should email the people at iPage as they probably know..
Maybe I'm crazy I just don't like the idea that someone - anyone can change my password without needing any validation whatsoever..
The best way would be sending a password reset email. Then the user that is changing the password must have control of that email account to change it..
I guess it's just an inconvenience, I can't think of any way to use that to an advantage .....
Like BlueNoteMKVI said, if someone does this, the paswword change would be emailed to the account holder, not the malicious user who is doing the password changing, so it would not really be that big of a deal.
So I ask you, why on earth does it matter? Most internet stores I have seen (from small businesses to big ones like Amazon) all have this same type of setup where any malicious user can do what you are saying..
Thank about it. Even if a hacker wanted to make some trouble in your web store by doing what you say, he would have to somehow find out the exact email addresses of your customers. There are sooo many email service providers and ISPs out there that even if the hacker had a program to generate email addresses, not only would he also have to have a program that would automate his evil doings on your site, but he would die of old age before he could probably even get that program to generate one email address that matched an email address of an account in your store..
It would be much, MUCH easier for said evil-doer to hack into your host's server and just mess up all the sites hosted on it (something that has happened to me before)..
The only reason I can think of to implement a confirmation system like Paypal has is if you were involed in financial transactions, not selling product (like I assume you are doing)..
With all due respect, I think your concern is one that is founded shear paranoia and not based in reality or sensibility...
Let alone the odds of someone knowing what site/store you are signed up on AND your email address. think of the sheer numbers of web sites, email address combinations, etc ...
OK. Mibble actually brought up something that actually takes your side of the arguement..
If you know someone who has your email address, they can go to, say Amazon ad send a request for your pasword. But again, it'll be sent to you, now the person who knows your email address..
But what it comes down to here is that, in life in general, we need to take steps to protect ourselves. We cannot expect the government or corporate America to be our mothers. If you befriend someone who would do this to you, that is really a personal problem that needs to be dealt with on a personal level, not on a commercial or a governmental level..
One thing I do is I have an email account set up for internet purchases only. You would be amazed at how much less SPAM you get by doing this. All these internet merchants tell you that they do not sell your email address or share it, but that is actually a crock because I cannot count how many times in the past I have ordered something from someone like AMazon and then all of a sudden started getting SPAM..
But the bottom line is that you have to give your customers a certain amount of personal liability. If you try to be thir mother all the time, you will find yourself run ragged and your profits dwindling...
Anyone can use the "forgot password" page to change the password of any email address in the database!..
IF someone knows that a particular email address is in the database, they can have a new password created for that address. However, that new password is emailed TO that address...so what good does it do you unless you have the capability to check that address?.
I suppose if you're really worried about it, you could create some sort of mother's maiden name identification system or something like that, but I for one don't care enough to figure out how to set that up...