Here's the scenario:
A hacker hijacks the account of a user on my site. The hacker changes the password. My site sends out an email to the user's contact email address with a link containing a url with a hash value to reset the password. The hacker then changes the user's contact email address the following day. My site then sends out an email to the old and new email addresses.
Most answers here have said that the recovery hash should be valid for an hour. But what if the user is away from home and doesn't get the emails until a week later after the hash has expired? The user's password has been changed and can't get a new recovery email either. The user has now lost the account and has no way to recover it. Shouldn't the hash remain valid for a week or two, or until it is used?
And what happens if the hacker, knowing how this mechanism works on most sites, claims to forget the password and requests a new one. Should the site generate a new hash, replacing the old one, thereby rendering the real user's reset hash invalid? Or should the site not change the hash, and send out the same hash again? But now, both the real user and the hacker have a hash to reset the password?
I'm sooooo confused... Maybe there's no perfect solution to this problem...
Any other technique? I, personally, don't like "secret questions" because, more often than not, they provide a back door to hack into someone's account. When sites require them from me, I type gibberish as the answer.
BTW, I know there are similar questions like this, and I would have preferred to ask for clarification in a comment to an existing question rather than open a new question, but I don't have high enough reputation to add a comment to someone else's question.
I would set the hash until activated and a caphata is done because the hacker could use a bot to get on the website.
Edit: The Hacker will not know secret password for reset verification.
Related
The steps mentioned at Reset User Password seems a bit confusing to me.
For example, A user normally reset his password because he cannot remember existing one.
Now, the above link mentions that
The refresh token can be retrieved by calling user.token after logging in via Realm.Sync.User
But, as user does not know his current password, how can the app get the refresh token?
I seem to be missing something here, not sure what..
Would be nice if someone could explain the complete steps for password reset by user.
"Password reset" is a bit of a misnomer. The functionality in question is intended for a logged-in user to change their own password (for example, from a "Settings" or "Profile" screen), or for a user with administrative privileges to change an arbitrary user's password.
There is another common use case in which a user who is logged out and does not remember their password wishes to reset it. In many cases this process involves sending them an email with a link which, upon being visited, will allow them to specify a new password. The Realm Object Server doesn't support this sort of password reset out of the box; you may want to file an issue at its issue tracker to request it (since it seems quite important).
Am I really that bad of a googler or is there no guides out there on how to reset a password WITHOUT simplemembership using tokenlink?
I want the anonymous user to input the mail of the account, send a mail with a link and when visiting that link the user is able to reset the password without the old password. I am not using simplemembership!
I know how to send emails and all that but I have never created a token and use it for the link in the mail etc. Are there any decent guides that could help me with this?
Side note, I'm storing all my user information in azure tablestorage.
Thanks
Stack Overflow isn't the best place to be asking overly broad "How do I do this?" questions, nor "recommend me a tutorial or guide".
(Having said that, I like the question/problem)
It should be fairly simple.
The user clicks on the "forgot password" link.
Generate a random string ("token"), such as a GUID and store it (such as in a database). Also store the time that it was generated or an expiration date.
Email the user a link to your site with the appropriate token.
The user comes back to your site. If the token exists and was done within the expiration time (15 - 30 minutes?) then give them a form to change their password.
Further reading
Resetting ASP.NET password - security issues?
Best way for a 'forgot password' implementation?
I think this is a simple one, I want to display the authentication key during a password reset.
First, is there any problem with doing so? Is there some kind of hole I'm opening up? I control when a user is created and sent signup_instructions. I only have about 500 users. My system is one where in many cases, it is only used a few times a year, and by only one or two employees at smallish companies , average 10 employees. Some of the companies we service , rather than create multiple accounts for employees, share one or more accounts, i.e. I create it for a specific person at the company, then they share the password with their assistant(s). I use email addresses for authentication key.
Can you guess what's coming next? This really happened! User goes on vacation, young assistant needs to log in, forgot the password, but is savvy enough to click forgot password and reset it, she reads bosses emails while boss is gone. Boss returns from vacation, needs to log in, can't, but isn't savvy enough to click forgot password and didn't bother to read her emails that came in while she was gone. So she calls in a panic and pissed off, 'what's wrong, I can't log in!!!'. Many of my users are like that, older, not real computer literate.
So I need to take extra steps to idiot proof resetting passwords, which I'm thinking should include PROMINENT display of the email address they are about to reset, plus wording to remind anyone who's 'sharing' an account to inform their co-workers if they reset.
I tried this in my devise/passwords/edit
<%= resource.email %>
The above code yields nothing!
You should never expose authentication data. That's why you never send them with GET but instead with POST. Do some research: how does gmail reset passwords? Another thing to remember, once you have done all that's reasonable, a user is responsible for safeguarding his personal information. If the secretary knows everything about the boss, then that's too bad -- unless they want you to use biometric to reset passwords.
I'm trying to use MyOpenID for my sign-in, but it doesn't seem to be sharing the email address.
If I use Google or others I do seem to get the email address, though. I thought that this was a standard field to return.
I even see some documentation here that seems to suggest they would share email:
https://rpxnow.com/docs/providers
(I'm using Ruby on Rails and Janrain for this project)
One interesting thing is that if I setup an identity page on MyOpenId, then the email IS shared with my application. I thought that there was supposed to be a way when logging in with MyOpenID to specify what data is shared during "SimpleRegistration"?
The problem was that I was testing with my own MyOpenId account and the very first time I logged in to my development server I had not paid enough attention.
When logging in the first time it said something along the lines of "blah site is asking you to share information with it. Click here to use an existing persona or to create a new one. I didn't select one and it defaulted to "don't ask again".
I was able to fix this by going in to MyOpenId and revoking permission for my site. Then the next time I logged in it asked me again and it worked.
I'm a beginner to rails and I'm having trouble with signing users in when they click on the registration email. I'm calling a login method (sign_in) and then directing them to the a page in the site, but the logic does not work. I am using Sorcery for generating the activation email. My repo is Here. I would appreciate any help, I'm a beginner still learning. Thanks in advance.
There's nothing magical about the email -- well, okay, it's probably got a capability tacked onto the end of an URL that lets you know the email address exists long enough to receive one email -- but once they sign in using your login method, it should store a cookie in the browser with a reference to the session id. (Or store session data directly in the cookie... up to you.)
So long as the same browser is used from the email clicking to the normal site use, the cookie (and its reference to the session id or session data) should still be valid, and they should still be "logged in".