One of our customers uses IBM's Security Access Manager (ISAM) for Enterprise Single Sign-On (ESSO), which uses a piece of software on the client called AccessAgent. From what I understand it's basically a glorified password manager.
This customer uses the software to autofill the username/password prompts on our web site so that they can log in; however, the software also tries to do this on the "Reset Password" page which comes up in the event that the software has a different password stored than what the user actually has. When users hit the reset page, AccessAgent automatically redirects them to the home page for some reason.
The first thing I tried was renaming the field from "username" to something non-semantic in hopes of throwing the software off. This worked for a few months but it has apparently 'learned' again that "hey, people put their e-mail address in here, I'll try to log them in!".
Past efforts to train individual users to turn off the software have not worked, and we continue to get a lot of "your password reset page doesn't work" tech support requests.
My question is this: Does anyone have any experience with this software, and is there a way to disable it for my password reset page? Either via HTTP header or tag or something?
Related
I have designed a standard login screen in ASP.NET like below:
As usual when operator selects “Remember me”, we expect system to not ask operator for credentials anymore and go directly to default (home) page.
My business team saw something on internet and they believe that when “Remember me” has been selected we need to pre populate the username and password and wait for customer to press “LOG IN” button:
I haven’t seen this practice so often and I am not very comfortable to do it. Although, I don’t have a good technical argument to explain and change their mind.
I am basically looking for good argument to explain cons and pros of above scenario.
Never ever should you pre-populate a passwords edit field. If you do so, everybody is able to read the plain-text password, if he can open the login form on this computer. A few minutes on an unlocked office computer would be enough to check the browser history, afterwards the attacker can login whenever and whereever he wants.
If you have a remember me function, and the user has logged in using this function, then there is no need to display the login form at all. You can just display the content. In this case, an attacker can do things with the account, but he cannot login unnoticed later from somwhere else.
I think (hope) you saw the pre-populated password field, because the browser filled in the content, and not the website did it. Maybe there is a password manager installed.
We're considering a few options for single-signon between our Django web application (we'll call it Website 1) and another specific website (Website 2). Our two top priorities are:
Ease of implementation/maintenance.
Avoiding the complication of our login process (our audience is not technically savvy at all). In other words, I don't want them to even know what OpenID is. They know to use their credentials from Website 2, though.
There are tons of Django apps for OpenID, but we don't want our users selecting their provider (we want to force them to use their "Website 2" credentials). This is my primary concern: Can I hardcode the provider so they are always using "Website 2" as the authority?
Here's what my research so far seems to think would be the flow:
User goes to the login page. We either display a button for them to click on to login, or
we just say "We're going to redirect you to Site X for authentication" and do so after a few seconds.
User gets redirected to Website 2. They enter their credentials and are redirected back to us.
The user doesn't know/care what just happened, and we have something simple to launch quickly.
Am I on the right track? Is this even possible? Do you see any caveats?
I am well aware of the security implications of this, so much so that I'm betting it doesn't exist, so before you call me crazy, that's why I'm asking.
I got really tired of having only my phone on me and installing a new app/whatever and finding myself needing to suddenly create a new application-specific password on the fly, and having to navigate Google's decidedly non-mobile-friendly security page to do that. I want to create an app of some kind that allows me to generate an application-specific password, whether by text or an Android app itself or something else. As I see it, there are two options here:
Use some Google Account Security API (if it exists) to create the application-specific password
Do scraping-type behavior (with proper credentials, of course) to automate its creation. I really don't want to do this.
Does anyone know (a) if this type of API exists, or (b) if there are any other ways to go about doing this? This app would be published on Github for self-hosting, obviously.
There is no official API to generate application-specific passwords.
I've solved this myself by doing a couple of things:
1) printing out the QR Code for the account that can be scanned by the Authenticator app in order to generate codes. I keep it secured in my desk. This allows me to reformat my phone without needing to turn two-step off each time.
2) use the browser sign-in for my Android device. When adding a Google account to an Android phone, just before the screen where you enter your username and password, click the menu button (or 3 dots on the screen if you have no menu button) and choose Browser sign-in. This allows you to login to an Android device with your username, real password and verification code rather than an application specific password.
This saves me from needing to generate application-specific passwords 95% of the time.
Jay
I want to make an application witch involves logging into google. It is basically a small application to always have your gmail with you without always having to go to the web browser and log in. Basically what I want to do is, when the person signs into their google account (or the page url changes) I want the webbrowser to refresh and go to a new point in the form and create an animation using a timer. I dont need help with the animation, I just need to know how to link it together with the person signing into google. And also, If it's possible I would like to have the person log in without the actual google web interface, but with 2 textboxes and a button. I am using Visual Studio 2008 and help with my application would be greatly appreciated!
One of the great things about GMail is that it gives you Pop3 access to the mailbox. Your application should be able to use Pop3 to login to the mailbox directly and not require the user to use the google web page (or any web page) at all.
This would be much more secure and fault tolerant than highjacking a browser session or scraping a web page for emails (as your application would break as soon as google updated the gmail app or the user changed their preferences).
You should be able to find numerous Pop3 tutorials, libraries and samples on the net (and most probably here on SO).
If you still insist to use the web browser control, you should investigate crafting your own HTTP-Post query to the page that takes the GMail login. Once you craft the correct message (including the user's username and password as the appropriate POST variables) you should be able to login directly.
Finally, you might want to have a look around on code.google.com as I'm certain this has been done before and you will most likely be able to find some sample code (whichever way you go).
Good Luck!
I'm in the process of creating a traditional desktop application, and I'd like to enable the user to protect the application with a password.
I was wondering what people tend to do in terms of helping the user if they can't remember the password? I don't want them to be locked out of the app entirely because of it.
If I were creating a web app, this wouldn't be an issue as a system could be put in place where an email is sent to them containing their password (after they answer a mother's maiden name type question)
I don't believe this is an option with a desktop app. The person who the end user may not want to access the application would likely know the mother's maiden name or have access to the end user's email account simply by opening Outlook.
I've searched Stack Overflow and Googled but no joy.
I assume there must be a common process used for such situations but I'm buggered if I can find it.
Or will my end user just have to suffer the consequences of their forgetfulness?
Thanks in advance.
How about just allowing a password hint, like Windows does?
P.S. You should never email a password, maybe just a one-use password or a link to reset the password.