Forum OpenACS Development: Re: Can question/secret answer be removed from password recovery?

Collapse
3: Re: Can question/secret answer be removed from password recovery? (response to 1)
Posted by Andrew Piskorski on 08/20/03 11:39 PM
Note: The reason the system resets the password to a random string before emailing the user the password is presumably to more or less guarantee that the user will change the password to something else after logging in, rather than leaving the password set to a string which was sent in the clear via email.

So that's one advantage to resetting the password in that fashion, but it has to be weighed against the disadvantages Joel brought up above. The denial of service implications probably never occurred to whoever implemented the current password resetting scheme...

I don't think it makes sense to say, "Most of this security is of limited use because the transaction isn't encrypted". Whether or not the web page is encrypted in transit with SSL is entirely separate from whether the user has logged in yet or not. Remember that depending how the admin as things set up, the login page where the user sends his password may itself not use SSL! All OpenACS pages asking for passwords or secret phrases should follow the same setting, either they all require SSL or none of them do. Of course, making sure there's only one such page may be the simplest way to do that. :)

Whether or not the login page uses SSL is presumably a security choice by the site owner. It should use SSL, yes, but if you're running a site with unimportant user data but lots and lots of users, maybe you'll want to economize on server hardware by not supporting SSL even for the login page. Bad idea IMNSHO, but note that Yahoo and even Ebay both default to non-SSL logins, so insecure login pages seem to be fairly industry standard, if it means saving a few bucks on hardware costs.

All that said, I don't personally have any problem with removing the secret answer/question business, sounds fine to me. I wonder about existing sites out there using OpenACS though, maybe some of them have a requirement for this? I guess if it's taken out for OpenACS 5.0 rather than 4.6.x, and is mentioned in the Change Log for 5.0, that should be good enough. If anyone really really wants to keep a secret question/answer feature they can always forward port it from 4.6, as long as they know about the change.