Item2071: reset password gives away too much information.
Current State: Confirmed
Released In: n/a
Target Release: n/a
for your login name test2 (WikiName TestSven2) has been sent t
um, so not only do we confirm that the login 'test2' exists, but we tell what that users WikiName
this might seem like a small thing if using the Topic User system and the WikiUsers
topic, but for those of us using a database backend to reduce the information leakage, its bad.
from a security pov, its also bad to give out un-necessary details - which is why most systems make you enter an email address...
this result also seems to lack an OK button - or any navigational to leave the dialog
- 15 Sep 2009
More to it than that. Entering reset password with an invalid WikiName
responds that the user does not exist in the password system.
In sites that expose WikiUsers
, it seems excessive to not provide feedback to the user that they typo'd their WikiName
, and leave them waiting for an email that will never arrive. Entering e-mail address sounds like a good solution.
Note that in Release 1.1.3, the "success" dialog does include an OK button. However an invalid WikiName
error does not, and using the back button results in a strikeone validation error on the next attempt.
- 01 Mar 2011
Since we discuss this topic, I would like to add that it has always looked weird to me that currently (and, in the past) one is able to reset a password by only entering a WikiName or login, with immediate effect and without any kind of further checking (unless I am mistaken or there is a security setting that I am missing).
Indeed, requiring a valid e-mail address should be the way to do it, but moreover, the password should not be reset unless the user receives an e-mail warning him that a password change request was made and asking them to confirm that the password should be reset.
Only after such confirmation the password should be reset, and another e-mail sent with the new password.
I am unsure whether or not addressing the various problems described there require a feature proposal...
- 01 Mar 2011
There is another task regarding the lack of confirmation of password reset. Item10206
Regarding use of email address, Foswiki is currently documented as allowing multiple users to register with the same email address. Probably the only way to deal with this:
- Generate a unique reset confirmation key per WikiName using the email address.
- Send the confirmation email with a list of possible WikiName's to reset
- Only when the user clicks the confirming link will the password be reset.
- With a unique mapping this degrades to a simple confirmation.
- (Bulk reset however probably needs to skip the confirmation step.)
This resolves both the lack of confirmation as well as the shared email address problems.
I suspect this rises to the level of requiring a feature proposal?
- 01 Mar 2011
I like the approach described in Item10206
where the confirmation link directly leads to a page where the new password can be entered. That is much better since it avoids an additional step and avoids also sending a password.
The feature proposal should probably refer to these 2 opened tasks and take the best of both, for description of the proposed implementation.
I was not aware that Foswiki is currently documented as allowing multiple users to register with the same email address (where is that?).
About the e-mails, Foswiki also allows one WikiName
to have several e-mail addresses
attached to it (see System.ChangeEmailAddress
). Probably, any password change request done by using one of these e-mail addresses should result in sending a confirmation request to all these e-mail addresses.
A problem may rise there, though, if these two usages of Foswiki correspond to a use case where different persons are using the same resources (e-mail and/or WikiName)... One way to avoid the problem would be to send the new password to all e-mail addresses so that everyone is informed. Maybe the documentation should warn against such type of uses anyway.
- 02 Mar 2011
- You can register multiple users with the same email. (And for testing, I do that frequently - if only to limit the number of email aliases I have to set up).
- 02 Mar 2011