[Freeipa-devel] [RFC] Self-service Password Reset
Drew Erny
derny at redhat.com
Thu Jun 25 19:13:06 UTC 2015
On 06/25/2015 03:07 PM, Simo Sorce wrote:
> On Thu, 2015-06-25 at 14:40 -0400, Drew Erny wrote:
>> Hi, All,
>>
>> FreeIPA's most requested feature just got a proposal.
>>
>> Check it out at http://www.freeipa.org/page/V4/Self_Service_Password_Reset
>>
>> I eagerly await your explanations of why this is a terrible idea.
> Well clearly it is a security nightmare :-D
> Anyway point 6, it is better to not send any password via email.
> I see 2/3 options here.
> 1) Just show the user the new password and a link to go and reset it.
> 2) Just redirect the user to the Self-Service Password change page and
> pre-fill the "old password" fields with the newly minted password.
> 3) Provide a password change with hidden old-password fields straight on
> the self-service portal.
I think when I was running this past my peers, they mentioned these
concerns, and I must've forgotten to update the draft.
>
> While 2 would be somewhjat nice it is probably difficult because of CSRF
> protections in FreeIPA, and besides if you already have the password you
> might as well just use it immediately and save the redirect. So I would
> prefer 3.
I prefer 3 as well; I'll amend the draft right now.
>
> Simo.
>
More information about the Freeipa-devel
mailing list