Item2071: reset password gives away too much information.

Priority: Normal
Current State: Confirmed
Released In: n/a
Target Release: n/a
Applies To: Engine
Component: FoswikiUIPasswords, FoswikiUsability
Reported By: SvenDowideit
Waiting For:
Last Change By: RaulFRodriguez
it says...

for your login name test2 (WikiName TestSven2) has been sent t

um, so not only do we confirm that the login 'test2' exists, but we tell what that users WikiName is

this might seem like a small thing if using the Topic User system and the WikiUsers topic, but for those of us using a database backend to reduce the information leakage, its bad.

from a security pov, its also bad to give out un-necessary details - which is why most systems make you enter an email address...

this result also seems to lack an OK button - or any navigational to leave the dialog

-- SvenDowideit - 15 Sep 2009

More to it than that. Entering reset password with an invalid WikiName responds that the user does not exist in the password system.

In sites that expose WikiUsers, it seems excessive to not provide feedback to the user that they typo'd their WikiName, and leave them waiting for an email that will never arrive. Entering e-mail address sounds like a good solution.

Note that in Release 1.1.3, the "success" dialog does include an OK button. However an invalid WikiName error does not, and using the back button results in a strikeone validation error on the next attempt.

-- GeorgeClark - 01 Mar 2011

Since we discuss this topic, I would like to add that it has always looked weird to me that currently (and, in the past) one is able to reset a password by only entering a WikiName or login, with immediate effect and without any kind of further checking (unless I am mistaken or there is a security setting that I am missing).

Indeed, requiring a valid e-mail address should be the way to do it, but moreover, the password should not be reset unless the user receives an e-mail warning him that a password change request was made and asking them to confirm that the password should be reset.

Only after such confirmation the password should be reset, and another e-mail sent with the new password.

I am unsure whether or not addressing the various problems described there require a feature proposal...

-- RaulFRodriguez - 01 Mar 2011

There is another task regarding the lack of confirmation of password reset. Item10206

Regarding use of email address, Foswiki is currently documented as allowing multiple users to register with the same email address. Probably the only way to deal with this:

  • Generate a unique reset confirmation key per WikiName using the email address.
  • Send the confirmation email with a list of possible WikiName's to reset
  • Only when the user clicks the confirming link will the password be reset.
  • With a unique mapping this degrades to a simple confirmation.
  • (Bulk reset however probably needs to skip the confirmation step.)

This resolves both the lack of confirmation as well as the shared email address problems.

I suspect this rises to the level of requiring a feature proposal?

-- GeorgeClark - 01 Mar 2011

I like the approach described in Item10206 where the confirmation link directly leads to a page where the new password can be entered. That is much better since it avoids an additional step and avoids also sending a password.

The feature proposal should probably refer to these 2 opened tasks and take the best of both, for description of the proposed implementation.

I was not aware that Foswiki is currently documented as allowing multiple users to register with the same email address (where is that?).

About the e-mails, Foswiki also allows one WikiName to have several e-mail addresses attached to it (see System.ChangeEmailAddress). Probably, any password change request done by using one of these e-mail addresses should result in sending a confirmation request to all these e-mail addresses.

A problem may rise there, though, if these two usages of Foswiki correspond to a use case where different persons are using the same resources (e-mail and/or WikiName)... One way to avoid the problem would be to send the new password to all e-mail addresses so that everyone is informed. Maybe the documentation should warn against such type of uses anyway.

-- RaulFRodriguez - 02 Mar 2011

See - You can register multiple users with the same email. (And for testing, I do that frequently - if only to limit the number of email aliases I have to set up).

-- GeorgeClark - 02 Mar 2011

ItemTemplate edit

Summary reset password gives away too much information.
ReportedBy SvenDowideit
Codebase 1.1.2, 1.0.6, trunk
SVN Range Foswiki-1.0.0, Thu, 08 Jan 2009, build 1878
AppliesTo Engine
Component FoswikiUIPasswords, FoswikiUsability
Priority Normal
CurrentState Confirmed
TargetRelease n/a
ReleasedIn n/a
Topic revision: r9 - 17 Mar 2011, RaulFRodriguez
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy