Re: forgot password and email password

Fri, 09 Oct 2009 15:28:00 -0700 

Jacques,
I think that Angelo is alluding to is that the current method allows a malicious prankster to create something of a denial of service attack against a registered user. It wouldn't be very difficult to script a 'bot that constantly resets a user's password. A more secure method would work along the following lines: 


	1.	Users enters username on the forgotPassword page and submits the  
form.


        2.      System emails a "reset password" link to the user's email.
                        Link should contain a serialized request id.

			Serialized request id should be implemented such a manner that it  
can only be requested a limited number of times within a fairly short  
time period (say,  3 times within 30 mins of submitting the  
forgotPassword form).


        3.      User retrieves the email and clicks on the "reset password 
link".


	4.	Users arrives at the "reset password" form within OFBiz and is  
asked to reset password.  They may also be challenged to answer a  
security question (which adds some additional security in case the  
email account has been compromised).
			If the "reset password link" has been clicked too many times within  
the expiration period (indicates a possible hacking attempt), clicked  
beyond the expiration timestamp (link is stale) or has already been  
used to successfully reset the account password, the system should  
present the user with an error message.


Mike


On Oct 9, 2009, at 5:51 PM, Jacques Le Roux wrote:


Yes, in *your* mailx box. Is this a problem for you ?
You can't prevent that if you want to give some flexibility.
"You can't have the cake and eat it" ;o)

Jacques

From: "Angelo Matarazzo" <[email protected]>

I suppose that in security.properties password.encrypt=true
and my username is "matarazzoa"
I suppose that an ofbiz user knows my username and in this screen 
https://demo904.ofbiz.org/ordermgr/control/forgotPassword
put my username matarazzoa and click "email password".

Ofbiz system will  change my password in userLogin entity and will  
send this

new password to my email address
Has another user changed my password????
Am I right?
Thank you.
--
View this message in context: 
http://www.nabble.com/forgot-password-and-email-password-tp25824734p25824734.html
Sent from the OFBiz - User mailing list archive at Nabble.com.



























					Reply via email to