[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Forgotten password recovery

Vincent Panel wrote:
> Thanks, but as discussed, even creating a user able to reset all the
> userPassword attributes of all other users is not security risk free.
> This is what I call a privileged user and I would like to avoid it.

You can't avoid it if the reset service has to run automagically.

> Drupal already supports such a solution, but I don't find it secure
> enough.

Then you have to add some human admin interaction.

> I had an interesting suggestion on the list : to create a database of
> temporary security objects where drupal is the only one who knows the
> passwords. Each temporary security object is able to reset one
> password in the main database (by the use of regex ACLs) and only
> once.

Yes, but these "temporary security objects" have to be generated. If you
do this automagically you have a privileged service account which resets
the user's password in combination with a e-mail based
challenge-response check. I don't think it's a big security issue
though. IMO if you suspect your password reset web component being
compromised you should worry about much more in the whole system.

Ciao, Michael.