[Freeipa-devel] [RFC] Self-service Password Reset
Simo Sorce
simo at redhat.com
Thu Jun 25 19:07:06 UTC 2015
On Thu, 2015-06-25 at 14:40 -0400, Drew Erny wrote:
> Hi, All,
>
> FreeIPA's most requested feature just got a proposal.
>
> Check it out at http://www.freeipa.org/page/V4/Self_Service_Password_Reset
>
> I eagerly await your explanations of why this is a terrible idea.
Well clearly it is a security nightmare :-D
Anyway point 6, it is better to not send any password via email.
I see 2/3 options here.
1) Just show the user the new password and a link to go and reset it.
2) Just redirect the user to the Self-Service Password change page and
pre-fill the "old password" fields with the newly minted password.
3) Provide a password change with hidden old-password fields straight on
the self-service portal.
While 2 would be somewhjat nice it is probably difficult because of CSRF
protections in FreeIPA, and besides if you already have the password you
might as well just use it immediately and save the redirect. So I would
prefer 3.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list