You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ofbiz.apache.org by Paul Foxworthy <pa...@cohsoft.com.au.INVALID> on 2019/10/07 00:59:53 UTC
Re: [DISCUSSION] (OFBIZ-11206) Edit the user login security question
from party profile
I agree with Jacques and Nicolas - remove it.
Security is only as good as its weakest link (
https://www.schneier.com/essays/archives/2005/02/the_curse_of_the_sec.html)
, and security questions can be a real weakness. Any organisation using
OFBiz that really hates passwords could look at security keys from Yubico
or the like.
Cheers
Paul Foxworthy
On Tue, 1 Oct 2019 at 03:29, Nicolas Malin <ni...@nereide.fr> wrote:
> I lean in remove it, it's not a functionality really up to date with
> code complexity for a few 'most valuable'.
>
> Nicolas
>
> On 9/29/19 11:08 AM, Jacques Le Roux wrote:
> > Le 26/09/2019 à 11:47, Jacques Le Roux a écrit :
> >> Hi,
> >>
> >> Below is a summary of the situation, you can refer to the Jira issues
> >> comments for more information.
> >>
> >> With OFBIZ-4983 and r1716915, basically a feature was implemented to
> >> allow an eCommerce customer to create a security question while
> >> creating his/her account. The user could then answer the security
> >> question to get his/her password through email.
> >>
> >> This feature was partly removed while fixing OFBIZ-4361, where
> >> basically a JWT is used to safely ask for a new password through and
> >> email
> >>
> >> With OFBIZ-11206 patch it's possible to create a security question
> >> but only in partymgr. When used from "forgot your password" feature,
> >> if you have also set a password hint, you get on screen the value of
> >> your password hint.
> >>
> >> As I wrote in OFBIZ-11206:
> >>
> >> /"I wonder if it makes sense to keep this feature as is. It seems
> >> convoluted to me. Why ask a question to get a password hint? //
> >> //It seems a lot to remember:/
> >>
> >> //
> >>
> >> 1. /The choice of the security question/
> >> 2. /The answer to this security question/
> >> 3. /The relation between the password hint and the password itself/
> >>
> >> //
> >>
> >> /I see only a good thing in this feature: you don't have to change
> >> your password. But sincerely do we really need a such feature? I
> >> finally think
> >> than rather fixing the current state we should remove the feature
> >> all together. IMO, the password link in an email done a safe way is
> >> enough. //
> >> /
> >>
> >> /The point to keep in mind is that OOTB all OFBiz users must have
> >> an email, apart anonymous which have no passwords anyway."/
> >>
> >> So, as suggested Nicolas, either we
> >>
> >> * /"We continue to support this and I will increase coherence of
> >> that/
> >> * /We abandon it and I will remove all code linked to this
> >> deprecated feature"/
> >>
> >> What do you think?
> >>
> >> Thanks
> >>
> >> Jacques
> >>
> >>
> > Hi All,
> >
> > Without answers I'll consider that we don't want to keep the password
> > hint stuff. It seems like a duplicate of the now safe emailed password
> > change to me.
> >
> > So I'll remove it in a week
> >
> > Thanks
> >
> > Jacques
> >
> >
>
--
Coherent Software Australia Pty Ltd
PO Box 2773
Cheltenham Vic 3192
Australia
Phone: +61 3 9585 6788
Web: http://www.coherentsoftware.com.au/
Email: info@coherentsoftware.com.au
Re: [DISCUSSION] (OFBIZ-11206) Edit the user login security question
from party profile
Posted by Jacques Le Roux <ja...@les7arts.com>.
I have created OFBIZ-11244 for that. I'll work on it ASAP
Jacques
Le 07/10/2019 à 10:15, Jacques Le Roux a écrit :
> Thanks Paul,
>
> Very good points indeed
>
> Jacques
>
> Le 07/10/2019 à 02:59, Paul Foxworthy a écrit :
>> I agree with Jacques and Nicolas - remove it.
>>
>> Security is only as good as its weakest link (
>> https://www.schneier.com/essays/archives/2005/02/the_curse_of_the_sec.html)
>> , and security questions can be a real weakness. Any organisation using
>> OFBiz that really hates passwords could look at security keys from Yubico
>> or the like.
>>
>> Cheers
>>
>> Paul Foxworthy
>>
>> On Tue, 1 Oct 2019 at 03:29, Nicolas Malin <ni...@nereide.fr> wrote:
>>
>>> I lean in remove it, it's not a functionality really up to date with
>>> code complexity for a few 'most valuable'.
>>>
>>> Nicolas
>>>
>>> On 9/29/19 11:08 AM, Jacques Le Roux wrote:
>>>> Le 26/09/2019 à 11:47, Jacques Le Roux a écrit :
>>>>> Hi,
>>>>>
>>>>> Below is a summary of the situation, you can refer to the Jira issues
>>>>> comments for more information.
>>>>>
>>>>> With OFBIZ-4983 and r1716915, basically a feature was implemented to
>>>>> allow an eCommerce customer to create a security question while
>>>>> creating his/her account. The user could then answer the security
>>>>> question to get his/her password through email.
>>>>>
>>>>> This feature was partly removed while fixing OFBIZ-4361, where
>>>>> basically a JWT is used to safely ask for a new password through and
>>>>> email
>>>>>
>>>>> With OFBIZ-11206 patch it's possible to create a security question
>>>>> but only in partymgr. When used from "forgot your password" feature,
>>>>> if you have also set a password hint, you get on screen the value of
>>>>> your password hint.
>>>>>
>>>>> As I wrote in OFBIZ-11206:
>>>>>
>>>>> /"I wonder if it makes sense to keep this feature as is. It seems
>>>>> convoluted to me. Why ask a question to get a password hint? //
>>>>> //It seems a lot to remember:/
>>>>>
>>>>> //
>>>>>
>>>>> 1. /The choice of the security question/
>>>>> 2. /The answer to this security question/
>>>>> 3. /The relation between the password hint and the password itself/
>>>>>
>>>>> //
>>>>>
>>>>> /I see only a good thing in this feature: you don't have to change
>>>>> your password. But sincerely do we really need a such feature? I
>>>>> finally think
>>>>> than rather fixing the current state we should remove the feature
>>>>> all together. IMO, the password link in an email done a safe way is
>>>>> enough. //
>>>>> /
>>>>>
>>>>> /The point to keep in mind is that OOTB all OFBiz users must have
>>>>> an email, apart anonymous which have no passwords anyway."/
>>>>>
>>>>> So, as suggested Nicolas, either we
>>>>>
>>>>> * /"We continue to support this and I will increase coherence of
>>>>> that/
>>>>> * /We abandon it and I will remove all code linked to this
>>>>> deprecated feature"/
>>>>>
>>>>> What do you think?
>>>>>
>>>>> Thanks
>>>>>
>>>>> Jacques
>>>>>
>>>>>
>>>> Hi All,
>>>>
>>>> Without answers I'll consider that we don't want to keep the password
>>>> hint stuff. It seems like a duplicate of the now safe emailed password
>>>> change to me.
>>>>
>>>> So I'll remove it in a week
>>>>
>>>> Thanks
>>>>
>>>> Jacques
>>>>
>>>>
>>
>
Re: [DISCUSSION] (OFBIZ-11206) Edit the user login security question
from party profile
Posted by Jacques Le Roux <ja...@les7arts.com>.
Thanks Paul,
Very good points indeed
Jacques
Le 07/10/2019 à 02:59, Paul Foxworthy a écrit :
> I agree with Jacques and Nicolas - remove it.
>
> Security is only as good as its weakest link (
> https://www.schneier.com/essays/archives/2005/02/the_curse_of_the_sec.html)
> , and security questions can be a real weakness. Any organisation using
> OFBiz that really hates passwords could look at security keys from Yubico
> or the like.
>
> Cheers
>
> Paul Foxworthy
>
> On Tue, 1 Oct 2019 at 03:29, Nicolas Malin <ni...@nereide.fr> wrote:
>
>> I lean in remove it, it's not a functionality really up to date with
>> code complexity for a few 'most valuable'.
>>
>> Nicolas
>>
>> On 9/29/19 11:08 AM, Jacques Le Roux wrote:
>>> Le 26/09/2019 à 11:47, Jacques Le Roux a écrit :
>>>> Hi,
>>>>
>>>> Below is a summary of the situation, you can refer to the Jira issues
>>>> comments for more information.
>>>>
>>>> With OFBIZ-4983 and r1716915, basically a feature was implemented to
>>>> allow an eCommerce customer to create a security question while
>>>> creating his/her account. The user could then answer the security
>>>> question to get his/her password through email.
>>>>
>>>> This feature was partly removed while fixing OFBIZ-4361, where
>>>> basically a JWT is used to safely ask for a new password through and
>>>> email
>>>>
>>>> With OFBIZ-11206 patch it's possible to create a security question
>>>> but only in partymgr. When used from "forgot your password" feature,
>>>> if you have also set a password hint, you get on screen the value of
>>>> your password hint.
>>>>
>>>> As I wrote in OFBIZ-11206:
>>>>
>>>> /"I wonder if it makes sense to keep this feature as is. It seems
>>>> convoluted to me. Why ask a question to get a password hint? //
>>>> //It seems a lot to remember:/
>>>>
>>>> //
>>>>
>>>> 1. /The choice of the security question/
>>>> 2. /The answer to this security question/
>>>> 3. /The relation between the password hint and the password itself/
>>>>
>>>> //
>>>>
>>>> /I see only a good thing in this feature: you don't have to change
>>>> your password. But sincerely do we really need a such feature? I
>>>> finally think
>>>> than rather fixing the current state we should remove the feature
>>>> all together. IMO, the password link in an email done a safe way is
>>>> enough. //
>>>> /
>>>>
>>>> /The point to keep in mind is that OOTB all OFBiz users must have
>>>> an email, apart anonymous which have no passwords anyway."/
>>>>
>>>> So, as suggested Nicolas, either we
>>>>
>>>> * /"We continue to support this and I will increase coherence of
>>>> that/
>>>> * /We abandon it and I will remove all code linked to this
>>>> deprecated feature"/
>>>>
>>>> What do you think?
>>>>
>>>> Thanks
>>>>
>>>> Jacques
>>>>
>>>>
>>> Hi All,
>>>
>>> Without answers I'll consider that we don't want to keep the password
>>> hint stuff. It seems like a duplicate of the now safe emailed password
>>> change to me.
>>>
>>> So I'll remove it in a week
>>>
>>> Thanks
>>>
>>> Jacques
>>>
>>>
>