eliminating temporary passwords / expiring email links #22
Comments
|
I put it in the subject line, but forgot to mention that the link to reset the password should expire after a few hours. |
|
I agree. It might also be worth implementing an additional level of identity verification, such as asking them to enter their username, before allowing them to reset their password (after the reset link has been sent; see the flowchart at the bottom of http://www.troyhunt.com/2012/05/everything-you-ever-wanted-to-know.html). Would you want to take charge on implementing this feature? |
|
I can, although it might be several months till I can finish it. So if anyone is really anxious and wants to take it, let me know. |
|
Wouldn't it be easier to send the auth code to reset the password and when the user click the link we check too see how long it's been since the auth key was sent if say more then 6 hours or whatever time frame make them re validate and start again? |
|
@Soupala thanks! I'm going to be working mainly on the auth system over the next few weeks, so maybe after that would be a good time to implement this feature. |
|
Maybe some password reset question could be implemented eg. "Whats your favorite color" or "What hospital were you born in" ect. most people won't forget such question as these as easily as there password. |
|
Yeah, we could do something like that, although we'd need something difficult for a hacker to glean from peoples' social media accounts. See http://goodsecurityquestions.com/. We need questions that people won't forget, are universally applicable, and cannot be easy deduced from social media. |
|
We could also possibly make the questions a feature that admins can configure themselves ;-) |
|
Well we could have the user set the question and when the user requests a lost password we could have them choose the question say using radio boxes with 2 other questions if they select the right question and provide the answer as well. We could do this 2 time and have 5 questions from the user this would make it pretty secure I'd say, any ideas? |
|
tricky issue. If we leave it to the users to create their own, we can't On Wed, May 7, 2014 at 9:38 AM, Alex Weissman notifications@github.comwrote:
-Mica Mica Cardillo |
|
I updated the lost password page need to make a few fixes and drop alot of debug code but basically i changed it so there is a configurable time setting (by admin) for passwords to expire. When you get the email it will direct you to the page to change your password rather then send you a password. And to change the password you will also need to varify the username associated with the activation token. Just need to touch everything up and we can probably close this feature as well. |
|
Actually i need to do some work on this still to make sure everything is working before i make a pull but that should happen today sometime ^_^ |
|
Sweet! I'll be gone for the weekend, if I don't get a chance to look at it before I leave, I'll see it on Monday :-D |
|
Thats cool, at the moment its really rough and i still need to fix it up but i finally got the forgot_password.php to load 2 forms and process it with the js depending on what form loaded. It works though just gonna rewrite it a little bit to make it all work a bit better ^_^. yea no rush on this one though im not sure how this weekend will work out for me yet may have time or may not xD |
|
Ok this should all work wanna check this out (https://github.com/lilfade/UserFrosting/compare/alexweissman:butterflyknife...master) and let me know what you think of the changes and if you think we need anything else added. I still have to add the new msgs to the lang array but thats about it i think. |
|
Nice, looks fantastic. This is getting me to thinking, that rather than keeping all of these seldom-used variables (activation requests, password requests, etc) directly in the user table, we could keep them in a separate table. Then we could keep a sort of history of account events for users, and the user table would be less cluttered. |
|
did you just want to use something like this then: ?
or maybe we can do something like
only issue i can see is if we hold all values of a user's request is we might end up having a very long table of data but we could setup a function to clear this table on a set schedule. |
|
Hmm, I like the second although we'd need every entry to have a timestamp so we can identify the most recent value. Let's wait on this, it's not critical to pushing butterflyknife. We'll try to gauge what people want for future releases. |
|
Implemented in |
New feature proposal.
What about changing the default method for how UserCake is currently dealing with forgotten passwords.
It's not an ideal user experience or security practice to email passwords to users, even if the password is only temporary. We can't assume that users will change their password, and it's just another step the user shouldn't have to worry about.
Once they click on the link, that should immediately take them to a screen that prompts them to reset their password.
Should UserFrosting have to stay consistent with UserCake on this issue, or would this be a candidate just for UserFrosting's roadmap?
The text was updated successfully, but these errors were encountered: