[Using Sakai] Password reset security
Steve Swinsburg
steve.swinsburg at gmail.com
Wed Apr 4 19:12:05 PDT 2012
Hi Louis,
There is an account validation option so rather than changing the password and emailing it, they are sent a link. Set this in sakai.properties:
# If set to false then password reset users get sent a new email, otherwise they get a link to allow
# them to reset their password. This prevents people from changing password they don't own.
siteManage.validateNewUsers=true
cheers,
Steve
On 05/04/2012, at 9:12 AM, Algaze, Louis Contractor, eDataTech wrote:
> Using Sakai 2.7.1
> We have disabled the password reset feature from the our Sakai login page and only give the password reset URL to system admins and responsible parties to reset passwords for users' they have created. We do this to prevent one user from resetting another user's password maliciously by entering their classmate's email address in the forgot password page. It is more secure but creates many password reset trouble tickets.
> Has anyone seen this maliciousness occur or are we just being paranoid?
> Has anyone developed another mechanism to validate the user getting their password reset? See below for suggestions.
> What about the possibility of, when a username/email address is input into the password reset page, instead of Sakai changing the user's password and sending it to the email address, send a tokenized link (similar to account validation [https://confluence.sakaiproject.org/display/~dhorwitz/Account+Validator]) which will allow the user to follow a link and input a new password. This way if no action is performed by the user, their password will not get reset.
> Additional validations could include:
> a dropdown list of course site titles, only one in which the user is enrolled and to reset their password they need to select the correct course site. If they are not enrolled in any classes, the word none could appear
> Same thing with last login date, once again, if they have never logged in before that option would exist
> Along the same lines, who is one of your instructors or classmates.
> Of course this would work only for Sakai local accounts and not CAS, AD, etc.
>
> Any thoughts on this topic are appreciated.
>
> Louis
> _______________________________________________
> sakai-user mailing list
> sakai-user at collab.sakaiproject.org
> http://collab.sakaiproject.org/mailman/listinfo/sakai-user
>
> TO UNSUBSCRIBE: send email to sakai-user-unsubscribe at collab.sakaiproject.org with a subject of "unsubscribe"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai-user/attachments/20120405/ac33587f/attachment.html
More information about the sakai-user
mailing list