[Zope-PTK] Proposal: password policy change
Renato De Giovanni
rdg@viafractal.com.br
Wed, 23 Aug 2000 20:04:34 -0300
Hi,
I would like to suggest another password policy option:
- store encrypted password.
- store a password reminder.
- upon request, user may receive by e-mail something like:
"Your password reminder is 'blabla'.
You may try to login again at 'url_1'.
But if you still didn't remember your password >:-(
you may use the link bellow to set it
to this new option: 'xyz...'
To change it, just go to 'url_2'"
- note that it's not necessary to set or even store the new password unless user
clicks on url_2 (url_2 may for instance contain 3 parameters: login, new password and
a signature to check it later, or it may contain one parameter that encrypts a string
such as "login=joe,newpass=xyz...")
- to avoid a "password reminder mailing attack" the last date/time the e-mail was
sent may be stored to avoid resending it before some elapsed time.
Moreover, I think it would be also desirable to provide a way to help users remember
their login, don't you think so? Unfortunately that happens too...
--
Renato
Sao Paulo - SP - Brasil
rdg@viafractal.com.br
> While integrating the PortalMembership system I had do with a different
> password policies: PM stores encrypted passwords and obviously hasn't a
> getPassword method which unuseful in this case. To manage the
> mail_password_form it skips the problem of reading it generating a new
> password and replacing the old one. I think this is the most secure way
> to handle passwords and should be implemented also in the standard PTK
> portal_registration. We need just to eliminate the getPassword method,
> and modify the mailPassword (I propose to rename it mailNewPassword)
> method in order to:
> 1) generate a new pwd
> 2) set it
> 3) mail it
>
> I don't think that in this way other membership systems will be affected
> (they have just to change the way to check psswords if they do a mere
> confrontation with non encrypted passwords) and this will allow to
> integrate PM using the registration_tool (at present to have PM working
> I have bypassed it)
>
> ByE,
> FF