Customer password update on migration from old site
I am migrating from an old site and have over 6000 customers. Passwords for their online accounts cannot be imported so I would like to ensure that they are forced to select/change their password on first login. All I can see is a way to do that one at a time through the dashboard. Any help on this would be appreciated.
this can only be enabled through your control panel, and not a CSV export/import. Changing this functionality to allow it to occur in bulk is scheduled for a future release, though!
Here is more information on forcing customers to reset their passwords:
https://support.bigcommerce.com/s/article/Customer-Account-Management/#pw-reset
Alternatively, you could send out an email blast through your store's dedicated email system to all of your customers letting them know to reset their passwords, saying something like, "Due to changes in our system, you password will need to be reset. Go to www.domain.com/login.php?action=reset_password to reset your password now."
Related
From the documentation I could find out that only upon first login into my app, the users name and email will be returned with the credential. So i go ahead and save these to my backend.
Now if the user decides to delete his account, I delete all his data from my backend (thats propably what the user wants me to do. And isnt that what i have to do anyway according to some privacy laws or what not?).
Now if the user ever decides to change his mind another time and install the app, will i not be able to fetch username and email? No matter what i do? Or did I miss some kind of user.ultimateSignoutAndDelete(for: .ever) to be able to fetch userdata on his next sign in?
Maybe this scenario seems a bit constructed but when testing apple-sign-in you stumble upon that immediately.
Once you delete a Firebase Auth account, there is no way to recover any information from that account. All links between the user and your projects are gone. The user will have to create a new account.
I have application where administrators have to create accounts for the new users. Basically there is no option for random user to create account and access this app. The admin would have to enter some basic info like First, Last name, Email address, User name and then comes to the password. I have algorithm that generates unique passwords. I'm looking for the better option to handle this situation.
The old application worked this way: admin enters info, generates password and there is an option either to automatically notify users via email or admin will contact directly that user and provide login info. This method seems very inefficient and insecure at the same time. Sending info like user name and password in the email is definitely not recommended nowadays. I was wondering what would be a good approach?
Should I generate unique link with expiration date where user can enter the password? Or there is better way to handle this situation? I use JavaScript, JQuery and ColdFusion 2016 for this project.
I think i get the whole password hashing and verifying login as I got it working with php. however I need an answer and some advise and I dont mean dont eat yellow snow!! :)
I want to store the passwords of users in a hashed format, however I have a need where by I need to be able to see or use given password so I can help the customer fix there issues as a technician.
Now passwords are first created by my system then issued to customer, however users have the choice to change their passwords if they so wish.
username is also created by system.
Now that being said:
I had 2 thoughts both of which I have no idea how to do so some pointer or an answer would be great.
idea 1:
is to have a button on my site to show only the technicians the user password on demand. so they can copy and paste to the site.
Idea 2:
I was also thinking that rather than see the password. I could have some way to transfer the password into the site to create an auto login into the website.
So technician would have a button that they press and the password is sent to the site to auto login with the hashed password.
Thanks in advance.
To give technicians access to a user account, there is no need to know the users plaintext passwords. It is the job of your application to restrict access, so you can create an admin role which is able to impersonate a user.
Making passwords recoverable weakens the security of your site immensly.
I am very curious to know some of the points regarding registration and login related points as a developer points of view. Please see below the steps for any online account which is publicly open for all,
CREATE USER ACCOUNT : Insert the data entered by user along with a column activate which default value is 0
SEND A LINK TO ACTIVATE : a link has been sent to user email at the time of registration
ACTIVATE THE ACCOUNT : user clicks over the link and the link is verified and update the column 'activate' with value 1
Why to sent a link & verifying is necessary which I supposed that is not utmost required. I asked to clients why u want such verification and i get the answer almost same e.g. checking the authenticity of the user and it'd be helpful to stop the duplicity of the user.
but practically at the time of user login, i suppose it is useless to verify each time the activate column along with password for every user.
I would appreciate if u explain the points which is very important regarding my concern.
This is really a slippery slope, but there are reasons. Obviously spam users will try to create accounts as quickly as possible, for spam reasons. Email and captcha verification will handle this.
Another is the issue of clumsy or accident-prone users that will forget their passwords, which can be worked around by email reminders/resets. Sadly, users may try to add fake email addresses(or mistyped ones) and lose access to their accounts, requiring admin intervention. Simple verification can force users to get their account into a self-rescuable state before adding any data.
We are building a CRM type app although this would apply to any application where there are "members" and "staff" e.g. a shopping site, dating site, facebook etc.
In our app, users can change their password the usual way, by resetting it with email confirmation. Users can also have more than one email address associated with their account.
What we are trying to work out is how to prevent staff using the system taking over the accounts. We want staff to be able to edit the email address (because someone may phone in and request a change); the issue then is they can simply change the email to one they control - and request a password re-set as a user.
Are there any recommended best practices for this?
You could require the user to also authenticate the action by other means, such as when the email address is changed the user is sent a confirmation code via text message that they must input somewhere.
Another means would be to only allow access to the account if certain information is inputted correctly. This could be address information or DOB. It is unlikely that this information could be guessed from something like a name or account number.
1) Add one of those silly security questions like "What is your favorite color?" and store the answer, encrypted, in the database. Staff could edit the email to their heart's content, but if they didn't know the answer to the secret question the system wouldn't let them change the password. If you have concerns about staff trustworthiness, then you need to introduce something outside their control that serves as a final gateway before you can change the user account.
I imagine a simple implementation would simply check to see if the user reset their password. If so, on login, it challenges them with the security question to "authenticate" them before allowing them to proceed.
2) Logging, monitoring, and auditing. Record which staff accounts accessed the email address change form, what address(es) they changed, what they changed them too, and when they changed them. Also record the connection information of the people accessing the accounts. If your logs show one IP address accessing 4-5 completely disparate accounts, you might need to look into that. (Yes, I know you can use proxies etc. to mask this. Not perfect but it'd weed out the chaff pretty fast).
3) Hire trustworthy people! #2 should really only need to be used as a "check" against abuse instead of the end all be all to stop it.