The password recovery process

This is a forum to suggest new features for mojoPortal.

This thread is closed to new posts. You must sign in to post in the forums.

4/28/2009 6:27:40 AM

talesis

Total Posts 29

View Posts

Thomas N. TALESIS SARL Conseil / Expertise en développement DOTNET

The password recovery process

Hi Joe,

I'm using a mojoportal installation where where the 'Require Security Question and Answer' setting is disabled.
I need this because users are created by someone else.

I found that once a valid username is entered in RecoverPassword.aspx (no need to be authenficated to do this), the related user password is immediately reset !! (even in case of smtp faillure)

A more standard and secure procedure would be to send a link to the user, and then, reset the password only when the emailled link is called.

This is not an big issue for the current solution I have to build, but it can be a real problem for someones.
In the future, that would be a nice security improvement.

Best regards,

Thomas.

4/28/2009 6:33:57 AM

Joe Audette

Total Posts 18439

View Posts

Re: The password recovery process

Hi Thomas,

I agree it could and should be improved. However, password is only reset if its hashed not if encrypted because hashed cannot be recovered. If its clear text or encrypted it just sends the current password to the user email address it does not reset it. So if you need to use it without question and answer then I recomend use Encrypted passwords rather than hashed.

At some point I will improve the process so that for hashed passwords it will do as you suggest and send a link to reset it.

Hope it helps,

Joe

4/28/2009 6:51:49 AM

talesis

Total Posts 29

View Posts

Thomas N. TALESIS SARL Conseil / Expertise en développement DOTNET

Re: The password recovery process

Joe,

Yes it helps, thank you.

You must sign in to post in the forums. This thread is closed to new posts.