You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@ofbiz.apache.org by Angelo Matarazzo <ma...@gmail.com> on 2009/10/09 19:10:08 UTC
forgot password and email password
I suppose that
in security.properties
password.encrypt=true
and my username is "matarazzoa"
I suppose that an ofbiz user knows my username and
in this screen
https://demo904.ofbiz.org/ordermgr/control/forgotPassword
put my username matarazzoa and click "email password".
Ofbiz system will change my password in userLogin entity and will send this
new password to my email address
Has another user changed my password????
Am I right?
Thank you.
--
View this message in context: http://www.nabble.com/forgot-password-and-email-password-tp25824734p25824734.html
Sent from the OFBiz - User mailing list archive at Nabble.com.
Re: forgot password and email password
Posted by Jacques Le Roux <ja...@les7arts.com>.
Hi Angelo,
I don't think OFBiz currently prevent any DDOS attack. And you may know that in some case it *very hard* to prevent them anyway...
It's not the goal of OFBiz to prevent DDOS attacks, but I agree that in this peculiar case we could do better (sending a
confirmation email sounds like the better method, we could use captcha also, etc.)
Feel free to open a Jira issue under https://issues.apache.org/jira/browse/OFBIZ-1525 using all the relevant comments from this
thread. Of course, as ever, a patch would be highly appreciated...
Thanks
Jacques
From: "Angelo Matarazzo" <ma...@gmail.com>
>
> Hi jacques,
> I wanted to know how "email password" works ad if ofbiz already prevents
> this DOS attack.
> Regards Angelo.
>
> jacques.le.roux wrote:
>>
>> Hi Mike ,
>>
>> Yes, sure, feel free to open a Jira (the description below should be
>> sufficient, of course a patch highly appreciated)
>>
>> Thanks
>>
>> JAcques
>>
>> From: "Mike Rose" <mx...@mutsys.com>
>>> Jacques,
>>>
>>> I think that Angelo is alluding to is that the current method
>>> allows a malicious prankster to create something of a denial of
>>> service attack against a registered user. It wouldn't be very
>>> difficult to script a 'bot that constantly resets a user's password.
>>> A more secure method would work along the following lines:
>>>
>>> 1. Users enters username on the forgotPassword page and submits the
>>> form.
>>>
>>> 2. System emails a "reset password" link to the user's email.
>>> Link should contain a serialized request id.
>>> Serialized request id should be implemented such a manner that it
>>> can only be requested a limited number of times within a fairly short
>>> time period (say, 3 times within 30 mins of submitting the
>>> forgotPassword form).
>>>
>>> 3. User retrieves the email and clicks on the "reset password link".
>>>
>>> 4. Users arrives at the "reset password" form within OFBiz and is
>>> asked to reset password. They may also be challenged to answer a
>>> security question (which adds some additional security in case the
>>> email account has been compromised).
>>> If the "reset password link" has been clicked too many times within
>>> the expiration period (indicates a possible hacking attempt), clicked
>>> beyond the expiration timestamp (link is stale) or has already been
>>> used to successfully reset the account password, the system should
>>> present the user with an error message.
>>>
>>> Mike
>>>
>>>
>>> On Oct 9, 2009, at 5:51 PM, Jacques Le Roux wrote:
>>>
>>>> Yes, in *your* mailx box. Is this a problem for you ?
>>>> You can't prevent that if you want to give some flexibility.
>>>> "You can't have the cake and eat it" ;o)
>>>>
>>>> Jacques
>>>>
>>>> From: "Angelo Matarazzo" <ma...@gmail.com>
>>>>> I suppose that in security.properties password.encrypt=true
>>>>> and my username is "matarazzoa"
>>>>> I suppose that an ofbiz user knows my username and in this screen
>>>>> https://demo904.ofbiz.org/ordermgr/control/forgotPassword
>>>>> put my username matarazzoa and click "email password".
>>>>> Ofbiz system will change my password in userLogin entity and will
>>>>> send this
>>>>> new password to my email address
>>>>> Has another user changed my password????
>>>>> Am I right?
>>>>> Thank you.
>>>>> --
>>>>> View this message in context:
>>>>> http://www.nabble.com/forgot-password-and-email-password-tp25824734p25824734.html
>>>>> Sent from the OFBiz - User mailing list archive at Nabble.com.
>>>>>
>>>>
>>>
>>
>>
>>
>
> --
> View this message in context: http://www.nabble.com/forgot-password-and-email-password-tp25824734p25846328.html
> Sent from the OFBiz - User mailing list archive at Nabble.com.
>
Re: forgot password and email password
Posted by Angelo Matarazzo <ma...@gmail.com>.
Hi jacques,
I wanted to know how "email password" works ad if ofbiz already prevents
this DOS attack.
Regards Angelo.
jacques.le.roux wrote:
>
> Hi Mike ,
>
> Yes, sure, feel free to open a Jira (the description below should be
> sufficient, of course a patch highly appreciated)
>
> Thanks
>
> JAcques
>
> From: "Mike Rose" <mx...@mutsys.com>
>> Jacques,
>>
>> I think that Angelo is alluding to is that the current method
>> allows a malicious prankster to create something of a denial of
>> service attack against a registered user. It wouldn't be very
>> difficult to script a 'bot that constantly resets a user's password.
>> A more secure method would work along the following lines:
>>
>> 1. Users enters username on the forgotPassword page and submits the
>> form.
>>
>> 2. System emails a "reset password" link to the user's email.
>> Link should contain a serialized request id.
>> Serialized request id should be implemented such a manner that it
>> can only be requested a limited number of times within a fairly short
>> time period (say, 3 times within 30 mins of submitting the
>> forgotPassword form).
>>
>> 3. User retrieves the email and clicks on the "reset password link".
>>
>> 4. Users arrives at the "reset password" form within OFBiz and is
>> asked to reset password. They may also be challenged to answer a
>> security question (which adds some additional security in case the
>> email account has been compromised).
>> If the "reset password link" has been clicked too many times within
>> the expiration period (indicates a possible hacking attempt), clicked
>> beyond the expiration timestamp (link is stale) or has already been
>> used to successfully reset the account password, the system should
>> present the user with an error message.
>>
>> Mike
>>
>>
>> On Oct 9, 2009, at 5:51 PM, Jacques Le Roux wrote:
>>
>>> Yes, in *your* mailx box. Is this a problem for you ?
>>> You can't prevent that if you want to give some flexibility.
>>> "You can't have the cake and eat it" ;o)
>>>
>>> Jacques
>>>
>>> From: "Angelo Matarazzo" <ma...@gmail.com>
>>>> I suppose that in security.properties password.encrypt=true
>>>> and my username is "matarazzoa"
>>>> I suppose that an ofbiz user knows my username and in this screen
>>>> https://demo904.ofbiz.org/ordermgr/control/forgotPassword
>>>> put my username matarazzoa and click "email password".
>>>> Ofbiz system will change my password in userLogin entity and will
>>>> send this
>>>> new password to my email address
>>>> Has another user changed my password????
>>>> Am I right?
>>>> Thank you.
>>>> --
>>>> View this message in context:
>>>> http://www.nabble.com/forgot-password-and-email-password-tp25824734p25824734.html
>>>> Sent from the OFBiz - User mailing list archive at Nabble.com.
>>>>
>>>
>>
>
>
>
--
View this message in context: http://www.nabble.com/forgot-password-and-email-password-tp25824734p25846328.html
Sent from the OFBiz - User mailing list archive at Nabble.com.
Re: forgot password and email password
Posted by Jacques Le Roux <ja...@les7arts.com>.
Hi Mike ,
Yes, sure, feel free to open a Jira (the description below should be sufficient, of course a patch highly appreciated)
Thanks
JAcques
From: "Mike Rose" <mx...@mutsys.com>
> Jacques,
>
> I think that Angelo is alluding to is that the current method
> allows a malicious prankster to create something of a denial of
> service attack against a registered user. It wouldn't be very
> difficult to script a 'bot that constantly resets a user's password.
> A more secure method would work along the following lines:
>
> 1. Users enters username on the forgotPassword page and submits the
> form.
>
> 2. System emails a "reset password" link to the user's email.
> Link should contain a serialized request id.
> Serialized request id should be implemented such a manner that it
> can only be requested a limited number of times within a fairly short
> time period (say, 3 times within 30 mins of submitting the
> forgotPassword form).
>
> 3. User retrieves the email and clicks on the "reset password link".
>
> 4. Users arrives at the "reset password" form within OFBiz and is
> asked to reset password. They may also be challenged to answer a
> security question (which adds some additional security in case the
> email account has been compromised).
> If the "reset password link" has been clicked too many times within
> the expiration period (indicates a possible hacking attempt), clicked
> beyond the expiration timestamp (link is stale) or has already been
> used to successfully reset the account password, the system should
> present the user with an error message.
>
> Mike
>
>
> On Oct 9, 2009, at 5:51 PM, Jacques Le Roux wrote:
>
>> Yes, in *your* mailx box. Is this a problem for you ?
>> You can't prevent that if you want to give some flexibility.
>> "You can't have the cake and eat it" ;o)
>>
>> Jacques
>>
>> From: "Angelo Matarazzo" <ma...@gmail.com>
>>> I suppose that in security.properties password.encrypt=true
>>> and my username is "matarazzoa"
>>> I suppose that an ofbiz user knows my username and in this screen https://demo904.ofbiz.org/ordermgr/control/forgotPassword
>>> put my username matarazzoa and click "email password".
>>> Ofbiz system will change my password in userLogin entity and will
>>> send this
>>> new password to my email address
>>> Has another user changed my password????
>>> Am I right?
>>> Thank you.
>>> --
>>> View this message in context: http://www.nabble.com/forgot-password-and-email-password-tp25824734p25824734.html
>>> Sent from the OFBiz - User mailing list archive at Nabble.com.
>>>
>>
>
Re: forgot password and email password
Posted by Mike Rose <mx...@mutsys.com>.
Jacques,
I think that Angelo is alluding to is that the current method
allows a malicious prankster to create something of a denial of
service attack against a registered user. It wouldn't be very
difficult to script a 'bot that constantly resets a user's password.
A more secure method would work along the following lines:
1. Users enters username on the forgotPassword page and submits the
form.
2. System emails a "reset password" link to the user's email.
Link should contain a serialized request id.
Serialized request id should be implemented such a manner that it
can only be requested a limited number of times within a fairly short
time period (say, 3 times within 30 mins of submitting the
forgotPassword form).
3. User retrieves the email and clicks on the "reset password link".
4. Users arrives at the "reset password" form within OFBiz and is
asked to reset password. They may also be challenged to answer a
security question (which adds some additional security in case the
email account has been compromised).
If the "reset password link" has been clicked too many times within
the expiration period (indicates a possible hacking attempt), clicked
beyond the expiration timestamp (link is stale) or has already been
used to successfully reset the account password, the system should
present the user with an error message.
Mike
On Oct 9, 2009, at 5:51 PM, Jacques Le Roux wrote:
> Yes, in *your* mailx box. Is this a problem for you ?
> You can't prevent that if you want to give some flexibility.
> "You can't have the cake and eat it" ;o)
>
> Jacques
>
> From: "Angelo Matarazzo" <ma...@gmail.com>
>> I suppose that in security.properties password.encrypt=true
>> and my username is "matarazzoa"
>> I suppose that an ofbiz user knows my username and in this screen https://demo904.ofbiz.org/ordermgr/control/forgotPassword
>> put my username matarazzoa and click "email password".
>> Ofbiz system will change my password in userLogin entity and will
>> send this
>> new password to my email address
>> Has another user changed my password????
>> Am I right?
>> Thank you.
>> --
>> View this message in context: http://www.nabble.com/forgot-password-and-email-password-tp25824734p25824734.html
>> Sent from the OFBiz - User mailing list archive at Nabble.com.
>>
>
Re: forgot password and email password
Posted by Bruno Busco <br...@gmail.com>.
An alternative method could be sending a mail with a link that let the
user to have access to the system or just to the change password
feature.
May be something similar to the ExternalLoginKey.
In such a way the password cannot be changed by other people but the
one that can access to the registered mailbox.
-Bruno
2009/10/9 Jacques Le Roux <ja...@les7arts.com>:
> Yes, in *your* mailx box. Is this a problem for you ?
> You can't prevent that if you want to give some flexibility.
> "You can't have the cake and eat it" ;o)
>
> Jacques
>
> From: "Angelo Matarazzo" <ma...@gmail.com>
>>
>> I suppose that in security.properties password.encrypt=true
>> and my username is "matarazzoa"
>>
>> I suppose that an ofbiz user knows my username and in this screen
>> https://demo904.ofbiz.org/ordermgr/control/forgotPassword
>> put my username matarazzoa and click "email password".
>>
>> Ofbiz system will change my password in userLogin entity and will send
>> this
>> new password to my email address
>>
>> Has another user changed my password????
>>
>> Am I right?
>>
>> Thank you.
>>
>>
>> --
>> View this message in context:
>> http://www.nabble.com/forgot-password-and-email-password-tp25824734p25824734.html
>> Sent from the OFBiz - User mailing list archive at Nabble.com.
>>
>
>
Re: forgot password and email password
Posted by Jacques Le Roux <ja...@les7arts.com>.
Yes, in *your* mailx box. Is this a problem for you ?
You can't prevent that if you want to give some flexibility.
"You can't have the cake and eat it" ;o)
Jacques
From: "Angelo Matarazzo" <ma...@gmail.com>
> I suppose that
> in security.properties
> password.encrypt=true
> and my username is "matarazzoa"
>
> I suppose that an ofbiz user knows my username and
> in this screen
> https://demo904.ofbiz.org/ordermgr/control/forgotPassword
> put my username matarazzoa and click "email password".
>
> Ofbiz system will change my password in userLogin entity and will send this
> new password to my email address
>
> Has another user changed my password????
>
> Am I right?
>
> Thank you.
>
>
> --
> View this message in context: http://www.nabble.com/forgot-password-and-email-password-tp25824734p25824734.html
> Sent from the OFBiz - User mailing list archive at Nabble.com.
>