View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0002304||Composr||core_cns||public||2016-03-16 16:16||2020-03-28 02:38|
|Reporter||Chris Graham||Assigned To||Chris Graham|
|Fixed in Version|
|Summary||0002304: Greater password reset flexibility|
|Description||Different sites want different complexities. We range from a situation of a non-important site that is accessed by people on fiddly smartphones who don't even know how to use computers properly, to a very high-security enterprise extranet.|
Implement 3 config options, replacing current password reset options:
- List, New password comes from (*): randomly generated and shown in 1st e-mail [**], user [after link clicked from 1st e-mail], randomly generated and shown after link clicked from 1st e-mail, randomly generated and sent in 2nd e-mail
- Checkbox, Ultra reset security, The 1st e-mail actually doesn't include a link, it just includes a raw reset code/password, with an obfuscated from name. The user has to know what it is to use it.
- Checkbox, New password assigned is temporary only and must be changed when logging in (only applies if "user" wasn't selected for "new password comes from")
- Integer, How long reset codes last for in minutes
- Checkbox, Reset codes are numeric (numeric is easier to type, especially on a smartphone - but less secure for brute force cracking)
* In increasing order of security
** In this case the password reset code also works as a login password. When you log in using it, the system recognises this situation, and copies it to your password, making the password reset code null again.
|Tags||Roadmap: v11, Type: Security|
|Time estimation (hours)||8|
||Curious. What about implementing security questions for password reset?|
There's a lot of overlap in here with stuff already-done with the "Password reset process" option (maybe that option was inspired by this issue and I forgot to comment), and a fair amount of over-complexity. I like what we currently do. For example, there's no real reason to give the webmaster the choice between an emailed temporary password and having the confirmation link ask them to choose a new password immediately.
I don't see a reason to have numeric confirmation codes. Already it's a link to click that includes the code, unless the user has an awful email client - which I've never seen.
"Integer, How long reset codes last for in minutes" is important, and I will implement for v11 and then mark this issue resolved.
|2016-03-16 16:16||Chris Graham||New Issue|
|2016-03-22 06:11||Patrick Schmalstig||Note Added: 0003471|
|2016-03-22 12:58||Chris Graham||Note Added: 0003473|
|2019-06-27 01:50||Chris Graham||Relationship added||related to 0001684|
|2019-06-27 01:50||Chris Graham||Tag Attached: Type: Security|
|2020-03-28 01:44||Chris Graham||Relationship added||related to 0003024|
|2020-03-28 01:45||Chris Graham||Tag Attached: Roadmap: v11|
|2020-03-28 01:48||Chris Graham||Note Added: 0006493|
|2020-03-28 02:38||Chris Graham||Assigned To||=> Chris Graham|
|2020-03-28 02:38||Chris Graham||Status||non-assigned => resolved|
|2020-03-28 02:38||Chris Graham||Resolution||open => fixed|