[Using Sakai] Password reset security

Matthew Jones matthew at longsight.com
Wed Apr 4 19:16:49 PDT 2012 

Agreed, most "big services" don't require any extra validation to get a
password reset. The worst that could happen is that the recipient would get
a lot of spam from the server with links telling them to to go and reset.
But the password doesn't actually get reset until the link is clicked.

On Wed, Apr 4, 2012 at 10:12 PM, Steve Swinsburg
<steve.swinsburg at gmail.com>wrote:

> Hi Louis,
>
> There is an account validation option so rather than changing the password
> and emailing it, they are sent a link. Set this in sakai.properties:
>
> # If set to false then password reset users get sent a new email,
> otherwise they get a link to allow
> # them to reset their password. This prevents people from changing
> password they don't own.
> siteManage.validateNewUsers=true
>
> cheers,
> Steve
>
>
> On 05/04/2012, at 9:12 AM, Algaze, Louis Contractor, eDataTech wrote:
>
>  Using Sakai 2.7.1
> We have disabled the password reset feature from the our Sakai login page
> and only give the password reset URL to system admins and responsible
> parties to reset passwords for users' they have created.  We do this to
> prevent one user from resetting another user's password maliciously by
> entering their classmate's email address in the forgot password page.  It
> is more secure but creates many password reset trouble tickets.
>
>    - Has anyone seen this maliciousness occur or are we just being
>    paranoid?
>    - Has anyone developed another mechanism to validate the user getting
>    their password reset?  See below for suggestions.
>    - What about the possibility of, when a username/email address is
>    input into the password reset page, instead of Sakai changing the user's
>    password and sending it to the email address, send a tokenized link
>    (similar to account validation [
>    https://confluence.sakaiproject.org/display/~dhorwitz/Account+Validator])
>    which will allow the user to follow a link and input a new password.  This
>    way if no action is performed by the user, their password will not get
>    reset.
>
> Additional validations could include:
>
>    - a dropdown list of course site titles, only one in which the user is
>    enrolled and to reset their password they need to select the correct course
>    site.  If they are not enrolled in any classes, the word none could appear
>    - Same thing with last login date, once again, if they have never
>    logged in before that option would exist
>    - Along the same lines, who is one of your instructors or classmates.
>
> Of course this would work only for Sakai local accounts and not CAS, AD,
> etc.
>
>  Any thoughts on this topic are appreciated.
>
>  Louis
>  _______________________________________________
> sakai-user mailing list
> sakai-user at collab.sakaiproject.org
> http://collab.sakaiproject.org/mailman/listinfo/sakai-user
>
> TO UNSUBSCRIBE: send email to
> sakai-user-unsubscribe at collab.sakaiproject.org with a subject of
> "unsubscribe"
>
>
>
> _______________________________________________
> sakai-user mailing list
> sakai-user at collab.sakaiproject.org
> http://collab.sakaiproject.org/mailman/listinfo/sakai-user
>
> TO UNSUBSCRIBE: send email to
> sakai-user-unsubscribe at collab.sakaiproject.org with a subject of
> "unsubscribe"
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai-user/attachments/20120404/986e5994/attachment.html

More information about the sakai-user mailing list