[Using Sakai] Password reset security
Algaze, Louis Contractor, eDataTech
ljalgaze at nps.edu
Wed Apr 4 16:12:43 PDT 2012
Using Sakai 2.7.1
We have disabled the password reset feature from the our Sakai login page and only give the password reset URL to system admins and responsible parties to reset passwords for users' they have created. We do this to prevent one user from resetting another user's password maliciously by entering their classmate's email address in the forgot password page. It is more secure but creates many password reset trouble tickets.
* Has anyone seen this maliciousness occur or are we just being paranoid?
* Has anyone developed another mechanism to validate the user getting their password reset? See below for suggestions.
* What about the possibility of, when a username/email address is input into the password reset page, instead of Sakai changing the user's password and sending it to the email address, send a tokenized link (similar to account validation [https://confluence.sakaiproject.org/display/~dhorwitz/Account+Validator]) which will allow the user to follow a link and input a new password. This way if no action is performed by the user, their password will not get reset.
Additional validations could include:
* a dropdown list of course site titles, only one in which the user is enrolled and to reset their password they need to select the correct course site. If they are not enrolled in any classes, the word none could appear
* Same thing with last login date, once again, if they have never logged in before that option would exist
* Along the same lines, who is one of your instructors or classmates.
Of course this would work only for Sakai local accounts and not CAS, AD, etc.
Any thoughts on this topic are appreciated.
Louis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai-user/attachments/20120404/ea5452c7/attachment.html
More information about the sakai-user
mailing list