I would like to ask some questions about password security. In my software the admin can create a new user setting the password and the username. I believe sending the password in plain text in an email is not a very good idea, so I’m thinking about sending a link that redirect the user to a page where they can set up their password. This link should expire after few hours as well. On my login form I’ve also have the option “forgot password” how can I prevent that a user doesn’t use it until they create the new password? How would you do it?
A password reset link is technically exactly the same as a registration link, both are relying on the "fact" that only the owner of the email address can read the link. So there is no reason to prevent a password reset when the user did not yet login.
The usual workflow is slightly different though, usually the user makes the first contact with the site and on the register page (s)he is asked to enter a password.
Related
I'm in the middle of implementing "forgot password". my auth is via jwt access token. (user log in, gets an access token, sends it with the rest api calls).
so let's say the user which currently isn't logged in, click the "forgot password".
i create for him some hashed token, and then send him a mail.
if he will click it I'll decode, display him the change password, and create a new access token, like this is the main idea and all good.
My question is for this scenario:
user clicks forgot password, enter his mail, i send him a mail, but then instead of clicking the url and resetting, he logs in via his password.
should i let him log in? creating an access token and all good? while resetting the token from the sent mail (or is it still a valid token to reset the password with?)
display some error saying go to your mail and continue forgot password process?
my question is from security aspects, since maybe a user think his password was compromised, and then if i do let him in, then maybe someone who got the password (which isn't the user) can still log in /change password - while the original user goes to the mail and think he processed with the process.
i know it's maybe a rare race condition but i would like to avoid it.
(also, if i do let him in, and then he click the url from the mail which was already sent, should i reset it? in my scenario, maybe it's better not to reset? or if a user click twice "forgot password" should i create 2 different tokens, accepting only the later?)
ii realy would appreciate an advice, how to handle that scenarios, all forgot password related.
thanks.
Im not an Expert. This is just my opinion:
The "Forgot Password" funktionality should not render the old password unusable as someone else could invoke this process to prevent the owner of the acount from logging in.
It could take you quite some time to realize the email and would cause a lot of headdache.
When someone requests multiple emails in a short while they should all be functional. It happens often that the mail servers take their time and humans are not known for their patience so they click the button twice but use the first link arriving in their inbox.
This is all conserning usabilty.
Now to security:
The emails should also stay active when someone loggs in. As you mentioned a malicious actor could log in and otherwies prevent the owner from changing their password that way.
I think i get the whole password hashing and verifying login as I got it working with php. however I need an answer and some advise and I dont mean dont eat yellow snow!! :)
I want to store the passwords of users in a hashed format, however I have a need where by I need to be able to see or use given password so I can help the customer fix there issues as a technician.
Now passwords are first created by my system then issued to customer, however users have the choice to change their passwords if they so wish.
username is also created by system.
Now that being said:
I had 2 thoughts both of which I have no idea how to do so some pointer or an answer would be great.
idea 1:
is to have a button on my site to show only the technicians the user password on demand. so they can copy and paste to the site.
Idea 2:
I was also thinking that rather than see the password. I could have some way to transfer the password into the site to create an auto login into the website.
So technician would have a button that they press and the password is sent to the site to auto login with the hashed password.
Thanks in advance.
To give technicians access to a user account, there is no need to know the users plaintext passwords. It is the job of your application to restrict access, so you can create an admin role which is able to impersonate a user.
Making passwords recoverable weakens the security of your site immensly.
I have been looking for the past few hours on how to user the phpBB login script on a custom site. I think I'm just not searching for the right things.
A while ago, I created a phpBB site and have over 900 members registered through phpBB. I am currently face-lifting this site and redoing the user registration along with all of the other custom code I have.
My problem is, I want the users to be able to log in as usual, though I want to input them into my new database so everything can run smoothly. I mainly need their username, password and old ID#, but I don't know how to use phpBB's password authentication or where to find it
The statement needs to look something like this:
On Login, grab username and password variables:
if the username is not in MY database, check phpBB database.
If the username is in phpBB database, check to see if the password is correct **(This is the part I don't know how to do)**
If the password is correct, input the username, user ID and the password (encrypted my way) into MY database
Login
If the password is incorrect - error
if the username is NOT in phpBB database - continue
if the username is not in MY database - input username and encrypted pass into my DB
login
Where can I find a script to authenticate the phpBB user's passwords? I don't care how the script is done, I know that's a secret, I just need to be able to authenticate passwords so that I can make sure it's the same user
I do have access to the phpBB database, I just need a way to authenticate their password
I would rather delete the quesion, but here's the answer:
Check here: http://sunnyis.me/blog/secure-passwords/
and when you download the PasswordHash.php, change all of the $P$ to $H$. It will work. Strange how it creates a password, every time it creates, it's different. But the CHECK part of it makes sure it checks it correctly, no matter what hashed pass it creates.
Many lost password workflows usually result in a page which is reached by a temporary link emailed to the user. This link then takes them to a page that asks for a new password.
Upon entering the new password should a user be forced to logon manually, or should the password reset page authenticate the user automatically which would reduce the number of steps and thus complexity of the process for the end user?
I often encounter password reset pages that make me reset my password and then login which feels like I'm logging in twice for no good reason.
I quite like drupal's method: The user gets sent an email with a link in it which will log them on once; upon logging in with it they are given the opportunity to change their password.
I don't know of any significant advantage to forcing the user to re-enter the password that they just entered twice. If someone does, I'd be interested to hear about it.
You should make it auto login. Don't see why you would make the user login.
If it's because of bot protection, just add a captcha when the user logins using the link.
I'm wondering what the best method is for creating a forgot password function on a website. I have seen quite a few out there, here are a few or combination of:
passphrase question / answer (1 or more)
send email with new password
on screen give new password
confirmation through email: must click link to get new password
page requiring user to enter a new password
What combination or additional steps would you add to a forgot password function? I'm wondering about how they request the new password and how they end up getting it.
I'm operating on the principal that the password cannot be retrieved; a new password must be given/generated.
Edit I like what Cory said about not displaying if the username exists, but I'm wondering what to display instead. I'm thinking half the problem is that the user forgot which email address they used, which displaying some sort of "does not exist" message is useful. Any solutions?
I personally would send an email with a link to a short term page that lets them set a new password. Make the page name some kind of UID.
If that does not appeal to you, then sending them a new password and forcing them to change it on first access would do as well.
Option 1 is far easier.
A few important security concerns:
A passphrase question / answer actually lowers security since it typically becomes the weakest link in the process. It's often easier to guess someone's answer than it is a password - particularly if questions aren't carefully chosen.
Assuming emails operate as the username in your system (which is generally recommended for a variety of reasons), the response to a password reset request shouldn't indicate whether a valid account was found. It should simply state that a password request email has been sent to the address provided. Why? A response indicating that an email does/doesn't exist allows a hacker to harvest a list of user accounts by submitting multiple password requests (typically via an HTTP proxy like burp suite) and noting whether the email is found. To protect from login harvesting you must assure no login/auth related functions provide any indication of when a valid user's email has been entered on a login/pass reset form.
For more background, checkout the Web Application Hackers Handbook. It's an excellent read on creating secure authentication models.
EDIT: Regarding the question in your edit - I'd suggest:
"A password request email has been
sent to the address you provided. If
an email doesn't arrive shortly,
please check your spam folder. If no
email arrives, then no account exists
with the email you provided."
There's a trade-off being made here between ease of use and security. You have to balance this based on context - is security important enough to you and your users to justify this inconvenience?
Send email with new password.
FORCE a password change when they arrive and key in the new password.
This ensures that the person who wanted the password will be the only only getting in to the account.
If the email is sniffed, someone could get in to the account (of course), but the real party will discover this immediately (as their password you just sent them doesn't work).
Also send confirmations of password changes to the users.
If someone get the new password, and then an email saying "thanx for changing the password", they're going to be rather puzzled and will talk to an admin if they didn't do it.
Using the email verification/password reset link will give you better security.
If you look around this is how most websites do it and people are pretty used to this verification, so I'd recommend using this type of authentication.
I would think (gbrandt's) Option 2 would be a great method if it is combined with some personal information you already have for the user. i.e date of birth.
When the user requests a new password (reset) via entering his email address, he also has to enter a correct date of birth (or something else) before the password is reset and a new one is emailed to the user.
Only those who know him well can possibly annoy him by resetting his password! It cant be a stranger or a bot
Upon 5 or 7 bad email-address & date of birth combinations the user is emailed that his password has been requested to be reset and has failed due to an incorrect credential. Then password resetting for that account is suspended for 24hrs or any desired period.
(if too many users contact the webadmin regarding this email he'll know someone is trying to maliciously attain information from your website/app)
What do you guys think?
Option 1. is not a good idea, as generally his becomes easily guessable by others. Sarah Palin's personal email (Yahoo I think) was hacked in this way by a third party.
The other options are better and previous posts have outlined the detail.
The idea I was thinking about was to sign the data in the link that is sent to the user. Then, when the user clicks the link and the server receives the call, the server also gets the encrypted part and can validate that the data was untouched.
I have implemented a JAVA project for this use case. It is on GitHub, open source. It answers your question perfectly... implemented in Java.
As for the link in the email - it generates the link, plus validates it upon usage.
There are explanation for everything (and if something is missing - let me know...)
Have a look: https://github.com/OhadR/Authentication-Flows
See a Demo here.
This is the client web-app that uses the auth-flows, with the README with all explanations. it directs you the implementation: https://github.com/OhadR/authentication-flows/tree/master/authentication-flows