[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Forgotten password recovery

To: Vincent Panel <yohonet@gmail.com>
Subject: Re: Forgotten password recovery
From: Michael Ströder <michael@stroeder.com>
Date: Wed, 04 Feb 2009 16:41:34 +0100
Cc: openldap-technical@openldap.org
In-reply-to: <15116fd10902040213o75edc302j3a269630bc976188@mail.gmail.com>
References: <4988d49e.1e018e0a.1d5f.ffff90b2@mx.google.com> <15116fd10902040213o75edc302j3a269630bc976188@mail.gmail.com>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.19) Gecko/20081204 SeaMonkey/1.1.14

Vincent Panel wrote:
> Thanks, but as discussed, even creating a user able to reset all the
> userPassword attributes of all other users is not security risk free.
> This is what I call a privileged user and I would like to avoid it.

You can't avoid it if the reset service has to run automagically.

> Drupal already supports such a solution, but I don't find it secure
> enough.

Then you have to add some human admin interaction.

> I had an interesting suggestion on the list : to create a database of
> temporary security objects where drupal is the only one who knows the
> passwords. Each temporary security object is able to reset one
> password in the main database (by the use of regex ACLs) and only
> once.

Yes, but these "temporary security objects" have to be generated. If you
do this automagically you have a privileged service account which resets
the user's password in combination with a e-mail based
challenge-response check. I don't think it's a big security issue
though. IMO if you suspect your password reset web component being
compromised you should worry about much more in the whole system.

Ciao, Michael.

References:
- Re: Forgotten password recovery
  - From: Vincent Panel <yohonet@gmail.com>

Prev by Date: user home directory perms
Next by Date: Forgotten password recovery
Index(es):
- Chronological
- Thread