[Zope-PTK] Re: Proposal: password policy change

Paul Everitt Paul@digicool.com
Sat, 26 Aug 2000 06:43:50 -0400


I've seen this pattern quite often:

  Let someone choose during account creation a challenge question, then 
  they type in the challenge answer.

--Paul

> -----Original Message-----
> From: Shane Hathaway [mailto:hathawsh@yahoo.com]
> Sent: Wednesday, August 23, 2000 6:27 AM
> To: sciasbat@inorbit.com
> Cc: zope-ptk@zope.org
> Subject: [Zope-PTK] Re: Proposal: password policy change
> 
> 
> Fabio,
> 
> > While integrating the PortalMembership  system I had
> do with a different
> > password policies: PM stores encrypted passwords and
> obviously hasn't a
> > getPassword method which unuseful in this case. To
> manage the
> > mail_password_form it skips the problem of reading
> it generating a new
> > password and replacing the old one. I think this is
> the most secure way
> > to handle passwords and should be implemented also
> in the standard PTK
> > portal_registration. We need just to eliminate the
> getPassword method,
> > and modify the mailPassword (I propose to rename it
> mailNewPassword)
> > method in order to: 
> > 1) generate a new pwd
> > 2) set it 
> > 3) mail it
> 
> This is an excellent idea.  I would suggest that it be
> implemented in a different way, however.  Consider:
> 
> 1) People will forget their passwords and need a way
> out.  The most "user friendly" way out is for them to
> receive their password again via e-mail.  Of course
> this is terribly insecure, but slashdot and many
> others do it this way, so those who run PTK sites will
> expect this to be an option.
> 
> 2) If we allow passwords to be instantly reset by
> anonymous users then that capability will be abused by
> intruders.
> 
> In order for your plan to work, therefore, we need to
> provide the option to set a temporary password.  This
> temporary password would be in addition to the user's
> normal password.
> 
> Scenario 1:
> 
> a) User tries to log in but forgot password.
> b) Clicks "Set temporary password".
> c) Receives e-mail with temporary password.
> d) Logs in with temporary password.  User is either
> required to set a new password immediately, or the
> temporary password becomes the permanent password.
> 
> Scenario 2:
> 
> a) Hostile intruder wants to attack Joe's account.
> b) Intruder uses an HTTP request generator to cause
> the "temporary password" function to be executed
> 1,000,000 times for joe's account.
> c) Joe's mailbox overflows.  The most recent temporary
> password is lost in cyberspace.
> d) Joe goes to sysadmin and asks for help.
> e) Sysadmin says "just use your old password, it still
> works" or "just delete the messages and request a new
> temporary password".
> f) Joe does, it works, and the intruder is (mostly)
> thwarted.
> 
> Shane
> 
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Mail - Free email you can access from anywhere!
> http://mail.yahoo.com/
> 
> _______________________________________________
> Zope-PTK maillist  -  Zope-PTK@zope.org
> http://lists.zope.org/mailman/listinfo/zope-ptk
> 
> See http://www.zope.org/Products/PTK/Tracker for bug reports 
> and feature requests
>