Re: forgot password and email password

Fri, 09 Oct 2009 15:42:10 -0700 

Hi Mike ,

Yes, sure, feel free to open a Jira (the description below should be 
sufficient, of course a patch highly appreciated)

Thanks

JAcques

From: "Mike Rose" <[email protected]>

Jacques,
I think that Angelo is alluding to is that the current method allows a malicious prankster to create something of a denial of service attack against a registered user. It wouldn't be very difficult to script a 'bot that constantly resets a user's password. A more secure method would work along the following lines:
1. Users enters username on the forgotPassword page and submits the form. 

2. System emails a "reset password" link to the user's email.
Link should contain a serialized request id.
Serialized request id should be implemented such a manner that it can only be requested a limited number of times within a fairly short time period (say, 3 times within 30 mins of submitting the forgotPassword form). 

3. User retrieves the email and clicks on the "reset password link".
4. Users arrives at the "reset password" form within OFBiz and is asked to reset password. They may also be challenged to answer a security question (which adds some additional security in case the email account has been compromised). If the "reset password link" has been clicked too many times within the expiration period (indicates a possible hacking attempt), clicked beyond the expiration timestamp (link is stale) or has already been used to successfully reset the account password, the system should present the user with an error message. 

Mike


On Oct 9, 2009, at 5:51 PM, Jacques Le Roux wrote:


Yes, in *your* mailx box. Is this a problem for you ?
You can't prevent that if you want to give some flexibility.
"You can't have the cake and eat it" ;o)

Jacques

From: "Angelo Matarazzo" <[email protected]>

I suppose that in security.properties password.encrypt=true
and my username is "matarazzoa"
I suppose that an ofbiz user knows my username and in this screen 
https://demo904.ofbiz.org/ordermgr/control/forgotPassword
put my username matarazzoa and click "email password".
Ofbiz system will change my password in userLogin entity and will send this 
new password to my email address
Has another user changed my password????
Am I right?
Thank you.
--
View this message in context: 
http://www.nabble.com/forgot-password-and-email-password-tp25824734p25824734.html
Sent from the OFBiz - User mailing list archive at Nabble.com.

Reply via email to