forgot password and email password

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

forgot password and email password

matarazzo angelo
I suppose that
in security.properties
password.encrypt=true
and my username is "matarazzoa"

I suppose that an ofbiz user knows my username and
in this screen
https://demo904.ofbiz.org/ordermgr/control/forgotPassword
put my username matarazzoa and click "email password".

Ofbiz system will  change my password in userLogin entity and will send this new password to my email address

Has another user changed my password????

Am I right?

Thank you.

Reply | Threaded
Open this post in threaded view
|

Re: forgot password and email password

Jacques Le Roux
Administrator
Yes, in *your* mailx box. Is this a problem for you ?
You can't prevent that if you want to give some flexibility.
"You can't have the cake and eat it" ;o)

Jacques

From: "Angelo Matarazzo" <[hidden email]>

> I suppose that
> in security.properties
> password.encrypt=true
> and my username is "matarazzoa"
>
> I suppose that an ofbiz user knows my username and
> in this screen
> https://demo904.ofbiz.org/ordermgr/control/forgotPassword
> put my username matarazzoa and click "email password".
>
> Ofbiz system will  change my password in userLogin entity and will send this
> new password to my email address
>
> Has another user changed my password????
>
> Am I right?
>
> Thank you.
>
>
> --
> View this message in context: http://www.nabble.com/forgot-password-and-email-password-tp25824734p25824734.html
> Sent from the OFBiz - User mailing list archive at Nabble.com.
>

Reply | Threaded
Open this post in threaded view
|

Re: forgot password and email password

Bruno Busco
An alternative method could be sending a mail with a link that let the
user to have access to the system or just to the change password
feature.
May be something similar to the ExternalLoginKey.

In such a way the password cannot be changed by other people but the
one that can access to the registered mailbox.

-Bruno

2009/10/9 Jacques Le Roux <[hidden email]>:

> Yes, in *your* mailx box. Is this a problem for you ?
> You can't prevent that if you want to give some flexibility.
> "You can't have the cake and eat it" ;o)
>
> Jacques
>
> From: "Angelo Matarazzo" <[hidden email]>
>>
>> I suppose that in security.properties password.encrypt=true
>> and my username is "matarazzoa"
>>
>> I suppose that an ofbiz user knows my username and in this screen
>> https://demo904.ofbiz.org/ordermgr/control/forgotPassword
>> put my username matarazzoa and click "email password".
>>
>> Ofbiz system will  change my password in userLogin entity and will send
>> this
>> new password to my email address
>>
>> Has another user changed my password????
>>
>> Am I right?
>>
>> Thank you.
>>
>>
>> --
>> View this message in context:
>> http://www.nabble.com/forgot-password-and-email-password-tp25824734p25824734.html
>> Sent from the OFBiz - User mailing list archive at Nabble.com.
>>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: forgot password and email password

Mike Rose
In reply to this post by Jacques Le Roux
Jacques,

    I think that Angelo is alluding to is that the current method  
allows a malicious prankster to create something of a denial of  
service attack against a registered user.  It wouldn't be very  
difficult to script a 'bot that constantly resets a user's password.  
A more secure method would work along the following lines:

        1. Users enters username on the forgotPassword page and submits the  
form.

        2. System emails a "reset password" link to the user's email.
                        Link should contain a serialized request id.
                        Serialized request id should be implemented such a manner that it  
can only be requested a limited number of times within a fairly short  
time period (say,  3 times within 30 mins of submitting the  
forgotPassword form).

        3. User retrieves the email and clicks on the "reset password link".

        4. Users arrives at the "reset password" form within OFBiz and is  
asked to reset password.  They may also be challenged to answer a  
security question (which adds some additional security in case the  
email account has been compromised).
                        If the "reset password link" has been clicked too many times within  
the expiration period (indicates a possible hacking attempt), clicked  
beyond the expiration timestamp (link is stale) or has already been  
used to successfully reset the account password, the system should  
present the user with an error message.

Mike


On Oct 9, 2009, at 5:51 PM, Jacques Le Roux wrote:

> Yes, in *your* mailx box. Is this a problem for you ?
> You can't prevent that if you want to give some flexibility.
> "You can't have the cake and eat it" ;o)
>
> Jacques
>
> From: "Angelo Matarazzo" <[hidden email]>
>> I suppose that in security.properties password.encrypt=true
>> and my username is "matarazzoa"
>> I suppose that an ofbiz user knows my username and in this screen https://demo904.ofbiz.org/ordermgr/control/forgotPassword
>> put my username matarazzoa and click "email password".
>> Ofbiz system will  change my password in userLogin entity and will  
>> send this
>> new password to my email address
>> Has another user changed my password????
>> Am I right?
>> Thank you.
>> --
>> View this message in context: http://www.nabble.com/forgot-password-and-email-password-tp25824734p25824734.html
>> Sent from the OFBiz - User mailing list archive at Nabble.com.
>>
>

Reply | Threaded
Open this post in threaded view
|

Re: forgot password and email password

Jacques Le Roux
Administrator
Hi Mike ,

Yes, sure, feel free to open a Jira (the description below should be sufficient, of course a patch highly appreciated)

Thanks

JAcques

From: "Mike Rose" <[hidden email]>

> Jacques,
>
>    I think that Angelo is alluding to is that the current method  
> allows a malicious prankster to create something of a denial of  
> service attack against a registered user.  It wouldn't be very  
> difficult to script a 'bot that constantly resets a user's password.  
> A more secure method would work along the following lines:
>
> 1. Users enters username on the forgotPassword page and submits the  
> form.
>
> 2. System emails a "reset password" link to the user's email.
> Link should contain a serialized request id.
> Serialized request id should be implemented such a manner that it  
> can only be requested a limited number of times within a fairly short  
> time period (say,  3 times within 30 mins of submitting the  
> forgotPassword form).
>
> 3. User retrieves the email and clicks on the "reset password link".
>
> 4. Users arrives at the "reset password" form within OFBiz and is  
> asked to reset password.  They may also be challenged to answer a  
> security question (which adds some additional security in case the  
> email account has been compromised).
> If the "reset password link" has been clicked too many times within  
> the expiration period (indicates a possible hacking attempt), clicked  
> beyond the expiration timestamp (link is stale) or has already been  
> used to successfully reset the account password, the system should  
> present the user with an error message.
>
> Mike
>
>
> On Oct 9, 2009, at 5:51 PM, Jacques Le Roux wrote:
>
>> Yes, in *your* mailx box. Is this a problem for you ?
>> You can't prevent that if you want to give some flexibility.
>> "You can't have the cake and eat it" ;o)
>>
>> Jacques
>>
>> From: "Angelo Matarazzo" <[hidden email]>
>>> I suppose that in security.properties password.encrypt=true
>>> and my username is "matarazzoa"
>>> I suppose that an ofbiz user knows my username and in this screen https://demo904.ofbiz.org/ordermgr/control/forgotPassword
>>> put my username matarazzoa and click "email password".
>>> Ofbiz system will  change my password in userLogin entity and will  
>>> send this
>>> new password to my email address
>>> Has another user changed my password????
>>> Am I right?
>>> Thank you.
>>> --
>>> View this message in context: http://www.nabble.com/forgot-password-and-email-password-tp25824734p25824734.html
>>> Sent from the OFBiz - User mailing list archive at Nabble.com.
>>>
>>
>

Reply | Threaded
Open this post in threaded view
|

Re: forgot password and email password

matarazzo angelo
Hi jacques,
I wanted to know how "email password"  works  ad if  ofbiz already prevents this DOS attack.
Regards Angelo.
jacques.le.roux wrote
Hi Mike ,

Yes, sure, feel free to open a Jira (the description below should be sufficient, of course a patch highly appreciated)

Thanks

JAcques

From: "Mike Rose" <mxr@mutsys.com>
> Jacques,
>
>    I think that Angelo is alluding to is that the current method  
> allows a malicious prankster to create something of a denial of  
> service attack against a registered user.  It wouldn't be very  
> difficult to script a 'bot that constantly resets a user's password.  
> A more secure method would work along the following lines:
>
> 1. Users enters username on the forgotPassword page and submits the  
> form.
>
> 2. System emails a "reset password" link to the user's email.
> Link should contain a serialized request id.
> Serialized request id should be implemented such a manner that it  
> can only be requested a limited number of times within a fairly short  
> time period (say,  3 times within 30 mins of submitting the  
> forgotPassword form).
>
> 3. User retrieves the email and clicks on the "reset password link".
>
> 4. Users arrives at the "reset password" form within OFBiz and is  
> asked to reset password.  They may also be challenged to answer a  
> security question (which adds some additional security in case the  
> email account has been compromised).
> If the "reset password link" has been clicked too many times within  
> the expiration period (indicates a possible hacking attempt), clicked  
> beyond the expiration timestamp (link is stale) or has already been  
> used to successfully reset the account password, the system should  
> present the user with an error message.
>
> Mike
>
>
> On Oct 9, 2009, at 5:51 PM, Jacques Le Roux wrote:
>
>> Yes, in *your* mailx box. Is this a problem for you ?
>> You can't prevent that if you want to give some flexibility.
>> "You can't have the cake and eat it" ;o)
>>
>> Jacques
>>
>> From: "Angelo Matarazzo" <matarazzoangelo@gmail.com>
>>> I suppose that in security.properties password.encrypt=true
>>> and my username is "matarazzoa"
>>> I suppose that an ofbiz user knows my username and in this screen https://demo904.ofbiz.org/ordermgr/control/forgotPassword
>>> put my username matarazzoa and click "email password".
>>> Ofbiz system will  change my password in userLogin entity and will  
>>> send this
>>> new password to my email address
>>> Has another user changed my password????
>>> Am I right?
>>> Thank you.
>>> --
>>> View this message in context: http://www.nabble.com/forgot-password-and-email-password-tp25824734p25824734.html
>>> Sent from the OFBiz - User mailing list archive at Nabble.com.
>>>
>>
>
Reply | Threaded
Open this post in threaded view
|

Re: forgot password and email password

Jacques Le Roux
Administrator
In reply to this post by Jacques Le Roux
Hi Angelo,

I don't think OFBiz currently prevent any DDOS attack. And you may know that in some case it *very hard* to prevent them anyway...
It's not the goal of OFBiz to prevent DDOS attacks, but I agree that in this peculiar case we could do better (sending a
confirmation email sounds like the better method, we could use captcha also, etc.)
Feel free to open a Jira issue under https://issues.apache.org/jira/browse/OFBIZ-1525 using all the relevant comments from this
thread. Of course, as ever, a patch would be highly appreciated...

Thanks

Jacques

From: "Angelo Matarazzo" <[hidden email]>

>
> Hi jacques,
> I wanted to know how "email password"  works  ad if  ofbiz already prevents
> this DOS attack.
> Regards Angelo.
>
> jacques.le.roux wrote:
>>
>> Hi Mike ,
>>
>> Yes, sure, feel free to open a Jira (the description below should be
>> sufficient, of course a patch highly appreciated)
>>
>> Thanks
>>
>> JAcques
>>
>> From: "Mike Rose" <[hidden email]>
>>> Jacques,
>>>
>>>    I think that Angelo is alluding to is that the current method
>>> allows a malicious prankster to create something of a denial of
>>> service attack against a registered user.  It wouldn't be very
>>> difficult to script a 'bot that constantly resets a user's password.
>>> A more secure method would work along the following lines:
>>>
>>> 1. Users enters username on the forgotPassword page and submits the
>>> form.
>>>
>>> 2. System emails a "reset password" link to the user's email.
>>> Link should contain a serialized request id.
>>> Serialized request id should be implemented such a manner that it
>>> can only be requested a limited number of times within a fairly short
>>> time period (say,  3 times within 30 mins of submitting the
>>> forgotPassword form).
>>>
>>> 3. User retrieves the email and clicks on the "reset password link".
>>>
>>> 4. Users arrives at the "reset password" form within OFBiz and is
>>> asked to reset password.  They may also be challenged to answer a
>>> security question (which adds some additional security in case the
>>> email account has been compromised).
>>> If the "reset password link" has been clicked too many times within
>>> the expiration period (indicates a possible hacking attempt), clicked
>>> beyond the expiration timestamp (link is stale) or has already been
>>> used to successfully reset the account password, the system should
>>> present the user with an error message.
>>>
>>> Mike
>>>
>>>
>>> On Oct 9, 2009, at 5:51 PM, Jacques Le Roux wrote:
>>>
>>>> Yes, in *your* mailx box. Is this a problem for you ?
>>>> You can't prevent that if you want to give some flexibility.
>>>> "You can't have the cake and eat it" ;o)
>>>>
>>>> Jacques
>>>>
>>>> From: "Angelo Matarazzo" <[hidden email]>
>>>>> I suppose that in security.properties password.encrypt=true
>>>>> and my username is "matarazzoa"
>>>>> I suppose that an ofbiz user knows my username and in this screen
>>>>> https://demo904.ofbiz.org/ordermgr/control/forgotPassword
>>>>> put my username matarazzoa and click "email password".
>>>>> Ofbiz system will  change my password in userLogin entity and will
>>>>> send this
>>>>> new password to my email address
>>>>> Has another user changed my password????
>>>>> Am I right?
>>>>> Thank you.
>>>>> --
>>>>> View this message in context:
>>>>> http://www.nabble.com/forgot-password-and-email-password-tp25824734p25824734.html
>>>>> Sent from the OFBiz - User mailing list archive at Nabble.com.
>>>>>
>>>>
>>>
>>
>>
>>
>
> --
> View this message in context: http://www.nabble.com/forgot-password-and-email-password-tp25824734p25846328.html
> Sent from the OFBiz - User mailing list archive at Nabble.com.
>