You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@roller.apache.org by Gaurav <ga...@gmail.com> on 2013/12/13 14:12:08 UTC

Forgotten Passwords

Hello,

I was wondering about the forgotten passwords feature is missing in 
Roller, I found this issues already there in JIRA in popular issues [1].
I am thinking to fix this issue, as this is major issue in case user 
lost its password. I am thinking of adding a new field in user 
registration form of security question where we can have some default 
questions and its answer we can store in the database. This question can 
be used in case user forget the password.

I want some starting help, how I should go for solving this issue ? 
Thanks in Advance for any help.

[1] - https://issues.apache.org/jira/browse/ROL-9

-- 
Regards,
*Gaurav Saini*
/Developer, Digital Marketing and Pursuing B.Tech/
/Email: gauravsaini at gmail/

Re: Forgotten Passwords

Posted by Glen Mazza <gl...@gmail.com>.

Hi Gaurav, this is just a blog, not online banking, so I don't think we 
should be storing security questions, as *that* becomes a security hole 
(A bad guy blog administrator can gather blogger's security answers by 
reading the table and use *that* to go after blogger's online banking 
sites, etc.)  In many cases blogs are either single-user or students at 
a school (http://blogs.mervpolis.com/roller/), nothing serious, and the 
blog admin can always change an individual blogs's password if needed 
even without ROL-9.

I think what we need is an ability to email a reset password for a given 
email address (not the old real password, but a reset one that is some 
random string, different for each request), *and* a blog-administration 
level setting allowing/disallowing emailed password resets, so if this 
option is disallowed for security reasons Roller will be back to what it 
presently is, where only admins can reset passwords.  Perhaps other 
Apache webapp projects (JSPWiki? maybe some others) already have this 
password reset functionality so Roller can copy that code over directly.

Regards,
Glen

On 12/13/2013 08:12 AM, Gaurav wrote:
> Hello,
>
> I was wondering about the forgotten passwords feature is missing in 
> Roller, I found this issues already there in JIRA in popular issues [1].
> I am thinking to fix this issue, as this is major issue in case user 
> lost its password. I am thinking of adding a new field in user 
> registration form of security question where we can have some default 
> questions and its answer we can store in the database. This question 
> can be used in case user forget the password.
>
> I want some starting help, how I should go for solving this issue ? 
> Thanks in Advance for any help.
>
> [1] - https://issues.apache.org/jira/browse/ROL-9
>