[Using Sakai] Password reset security
JOSE MARIANO LUJAN GONZALEZ
jmariano at um.es
Thu Apr 12 01:19:24 PDT 2012
Hi Louis,
We've had the same thoughts and concerns about the reset-pass tool.
As Steve suggests, that functionallity exists but only for 2.8.x
reset-pass versions. Not the one that came on 2.7.1. We are considering
adding some modifications to the 2.8.5 reset-pass tool to make it work
in our 2.7.2 (it will includes some kernel changes).
2.8.5 will work as you expect, sending the validation token.
mariano
El 05/04/2012 4:12, Steve Swinsburg escribió:
> Hi Louis,
>
> There is an account validation option so rather than changing the
> password and emailing it, they are sent a link. Set this in
> sakai.properties:
>
> # If set to false then password reset users get sent a new email,
> otherwise they get a link to allow
> # them to reset their password. This prevents people from changing
> password they don't own.
> siteManage.validateNewUsers=true
>
> cheers,
> Steve
>
>
> On 05/04/2012, at 9:12 AM, Algaze, Louis Contractor, eDataTech wrote:
>
>> Using Sakai 2.7.1
>> We have disabled the password reset feature from the our Sakai login
>> page and only give the password reset URL to system admins and
>> responsible parties to reset passwords for users' they have created.
>> We do this to prevent one user from resetting another user's
>> password maliciously by entering their classmate's email address in
>> the forgot password page. It is more secure but creates many
>> password reset trouble tickets.
>>
>> * Has anyone seen this maliciousness occur or are we just being
>> paranoid?
>> * Has anyone developed another mechanism to validate the user
>> getting their password reset? See below for suggestions.
>> * What about the possibility of, when a username/email address is
>> input into the password reset page, instead of Sakai changing the
>> user's password and sending it to the email address, send a
>> tokenized link (similar to account validation
>> [https://confluence.sakaiproject.org/display/~dhorwitz/Account+Validator
>> <https://confluence.sakaiproject.org/display/%7Edhorwitz/Account+Validator>])
>> which will allow the user to follow a link and input a new
>> password. This way if no action is performed by the user, their
>> password will not get reset.
>>
>> Additional validations could include:
>>
>> * a dropdown list of course site titles, only one in which the user
>> is enrolled and to reset their password they need to select the
>> correct course site. If they are not enrolled in any classes,
>> the word none could appear
>> * Same thing with last login date, once again, if they have never
>> logged in before that option would exist
>> * Along the same lines, who is one of your instructors or classmates.
>>
>> Of course this would work only for Sakai local accounts and not CAS,
>> AD, etc.
>>
>> Any thoughts on this topic are appreciated.
>>
>> Louis
>> _______________________________________________
>> sakai-user mailing list
>> sakai-user at collab.sakaiproject.org
>> <mailto:sakai-user at collab.sakaiproject.org>
>> http://collab.sakaiproject.org/mailman/listinfo/sakai-user
>>
>> TO UNSUBSCRIBE: send email to
>> sakai-user-unsubscribe at collab.sakaiproject.org with a subject of
>> "unsubscribe"
>
>
>
> _______________________________________________
> sakai-user mailing list
> sakai-user at collab.sakaiproject.org
> http://collab.sakaiproject.org/mailman/listinfo/sakai-user
>
> TO UNSUBSCRIBE: send email to sakai-user-unsubscribe at collab.sakaiproject.org with a subject of "unsubscribe"
--
******************************************
José Mariano Luján González - Aula Virtual
Area de Tecnologías de la Información
y las Comunicaciones Aplicadas (ATICA)
UNIVERSIDAD DE MURCIA - http://www.um.es
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai-user/attachments/20120412/d62638a8/attachment-0001.html
More information about the sakai-user
mailing list