-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Tony Graziano Sent: Thursday, April 15, 2010 1:40 PM To: Mossman, Paul (Paul) Cc: [email protected] Subject: Re: [sipX-dev] password (PIN) recovery mechanism - should not change passwords without email confirmation
Or... Ask the subscriber id (line number), and if valid, ask the registered email address (making the visitor supply two pieces of information). Maybe have them set a secret question like favorite dog too, before the email will be generated and sent to them. On Thu, Apr 15, 2010 at 2:57 PM, Mossman, Paul (Paul) <[email protected]> wrote: > Hi all, > > Regarding XX-6764 [1], I have an objection to this feature as described: > > "On the login screen there shall be a link that allows recovering the password. Upon activation sipXconfig generates a new password for the User ID entered, stores that new password in the system, and sends an email to the email address registered for the user that includes the new password." > > This would allow anyone with IP access to invalidate the current PIN of any known user. That could be very disruptive. > > The "Forgot PIN" link should instead email the User a "secret" link, which can then be used to set a new PIN. That would make it considerably more difficult for a malicious person to erase a User's PIN. > > I also think this functionality should not be available for any User with Administration permission, and/or no defined email address. > > Thoughts? > > > -Paul > [email protected] > > > [1] http://track.sipfoundry.org/browse/XX-6764 Provide password recovery mechanism > Or, if they lose their password, they can select a link to reset the password. A new password is sent to the registered email address. This confirms they at least have access to the email address for the user, and gives them a replacement password to use. You could optionally require it be replaced at first login. These all seem to get the same results, but add security that wasn't there in the original proposal. _______________________________________________ sipx-dev mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-dev Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-dev sipXecs IP PBX -- http://www.sipfoundry.org/
