You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@fineract.apache.org by "Francis Guchie (Jira)" <ji...@apache.org> on 2022/08/22 16:12:00 UTC
[jira] [Commented] (FINERACT-1697) Prompt user to confirm Password before changing password
[ https://issues.apache.org/jira/browse/FINERACT-1697?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17583056#comment-17583056 ]
Francis Guchie commented on FINERACT-1697:
------------------------------------------
[~ikimbrah]
Yes this will increase the security of physical access to someone's computer
> Prompt user to confirm Password before changing password
> --------------------------------------------------------
>
> Key: FINERACT-1697
> URL: https://issues.apache.org/jira/browse/FINERACT-1697
> Project: Apache Fineract
> Issue Type: Improvement
> Components: Security
> Affects Versions: 1.7.0
> Reporter: ibrahim kimbugwe
> Assignee: Rahul Pawar
> Priority: Major
> Fix For: 1.9.0
>
> Attachments: image-2022-08-21-12-42-00-827.png
>
>
> Upon updating the password inside the user profile, a user needs to be prompted his/her current password.
> Let's take a scenario of a user finishing work in the evening and forgets to logout of the system, the current session is 5 minutes whereby if someone gets onto the user's computer while logged in, he/she can change the password since the system allows to change a password without need to confirm the old password.
> !image-2022-08-21-12-42-00-827.png|width=554,height=217!
> This is a big security issue since the user's changed credentials can be used even off the current PC to maliciously cause harm.
> [~edcable] [~aleks], [~francisguchie] [~rrpawar] & [~eroemma] what is your opinion on this and can it receive attention please?
--
This message was sent by Atlassian Jira
(v8.20.10#820010)