Change your password
-
I was working as a web developer on this site.. and I came across this piece of code:
class userCP extends Controller { function index() { $this->load->library("auth"); $this->load->library("infocache"); ....snip.... } .......snip...... function changePassword() { $user_id = $this->auth->u_id; $this->auth->forgot($user_id); $this->load->view('notify', 'Please check your email for instructions on how to change your password'); } .......snip...... }What it actually do was allow the user to change their password. While other applications just ask you for your old password and then the new password.. this web app, used the same code as for the 'Forgot Password' option i.e. it sends you an email with a link that resets your password so that you can change it.
When i asked my supervisor about this, he said, "The previous developer said that this step requires the user to validate his email account which is a good security measure". and i was totally like.. wtf??
-
Translation: "the previous developer hadn't a clue how to do it properly, so hacked together something that kinda worked and then attempted to conceal his incompetence under the blanket of 'security'".
-
Unless this system also lets people change their email address without validation at the old one, there's no WTF here. Let's say Alice has gained access to Bob's account at this site, but has not gained access to his email account. If she were able to change the password without email verification, Bob would completely lose access to his account since he wouldn't know the new password. If Alice cannot change the password, then she may be able to wreak havoc with Bob's account, but at least Bob would still be able to log back in to it later and correct the damage -- and change the password to something he knows and Alice doesn't.
-
@Albright said:
Let's say Alice has gained access to Bob's account at this site, but has not gained access to his email account. If she were able to change the password without email verification, Bob would completely lose access to his account since he wouldn't know the new password.
Of course Bob would simply ask for a password reset...
-
@PJH said:
Of course Bob would simply ask for a password reset...
True — after some initial confusion as to why the password that worked for him yesterday isn't working for him today. At least with the change-password-by-email method, he would be alerted that something is amiss with his account.
-
Reminds me of that security flaw in an early InvisionBoard forum version. Someone could request a password reset for whatever username, and actually grab the link without having to access the user's email box. That meant anyone could take full control of the forum in a matter of seconds, by running a password lost request with the admin name, resetting his password and quietly logging in to the admin panel with the new PW. By the time the admin saw the password chgange request email, said WTF and went to check the forum, everything was deleted or replaced by "Hacked by l337|-|/\X0r" or whatever. Long live database backups.
-
@Kilrah said:
everything was deleted or replaced by "Hacked by l337|-|/\X0r"
I used to be admin on a forum board that had no legitimate posts ... not because someone hacked the site, but because noone actually had interest in posting. So the only posts on it were the spam posts which I removed.
Actually, as I go right now to check to make sure people are able to register for the forums, I find that it is impossible. I clicked "register" then "I am over 13 years of age" and then get the message "Sorry, but that usename is already taken." I didn't even try to choose a username.
I'm pretty sure it worked when I originally set it up (in fact, the spam which I removed is evidence of that), and TRWTF may in fact be PHPBB, but I've moved on and it's not my problem anymore.
-
@Albright said:
Unless this system also lets people change their email address without validation at the old one, there's no WTF here. Let's say Alice has gained access to Bob's account at this site, but has not gained access to his email account. If she were able to change the password without email verification, Bob would completely lose access to his account since he wouldn't know the new password. If Alice cannot change the password, then she may be able to wreak havoc with Bob's account, but at least Bob would still be able to log back in to it later and correct the damage -- and change the password to something he knows and Alice doesn't.
Agreed. Not a WTF.
-
@Albright said:
<hints id="hah_hints"></hints>True — after some initial confusion as to why the password that worked for him yesterday isn't working for him today. At least with the change-password-by-email method, he would be alerted that something is amiss with his account.
The standard solution to this non-problem is to send an e-mail notification after the password has been changed, along with instructions on what to do if the change wasn't authorized.Some users complain about this level of chattiness. I'm on the fence. Either way, requiring e-mail validation just to change a password is idiotic. For one thing, there's a massive opportunity for failure (server down, network problems, spam filters). Making the process this painful for users also dramatically lowers the likelihood that they'll bother to change their passwords at all, which will end up lowering the overall security. But perhaps most importantly, the vast majority of users use the same easy-to-remember password for their e-mail and their account at [wherever] anyway, so if their account is compromised, so is their e-mail.
And of course, we're assuming that the site doesn't allow you to change your e-mail address. If it does, then the security scheme is even more braindead.
-
Unless I'm misunderstanding something, this is pretty standard practice.
Check out what gmail does, if you go through their 'lost password' process.
-
@Aaron said:
The standard solution to this non-problem is to send an e-mail notification after the password has been changed, along with instructions on what to do if the change wasn't authorized.
That's the standard solution?! Good gravy, are you thinking this through? What would that email say? "O HAI, someone just changed the password on your account. If it wasn't you, good luck logging on to your account next time. We could have done some trivial email verification to avoid that, but we didn't."
I'm surprised there's so many divergent (in other words, wrong) opinions on what to do in this situation. I understand that sometimes one will sacrifice security for convenience on something trivial like a web forum script or something, but it's not like setting up a system to verify password changes via email is all that difficult. You don't goof around with passwords!
-
Why would you need an email to change a password??
If you have the password, you have access to everything, so no need to take another step to change the password. You verify the password to change the password, and the email to change the email.
So
I sign up -> I create a password and get a validation email.
I change my password -> I type my old password.
I recover my password -> I get an email to reset it.
I want to change my email -> I get an email at the old account with a link to avoid that (although if they're able to change my email, my account is compromised...).
-
@TRWTF said:
I want to change my email -> I get an email at the old account with a link to avoid that
I found out last month that ebay was still using my work email address from a job I had six years ago. Naturally that email box didn't exist anymore. If they'd required me to verify my email to change my email, I would never be able to receive email regarding my account from ebay again.
Thankfully, they don't have any such rule.
