[Freeipa-devel] [RFC] Self-service Password Reset

Drew Erny derny at redhat.com
Thu Jun 25 19:19:59 UTC 2015 


On 06/25/2015 03:13 PM, Drew Erny wrote:
>
>
> On 06/25/2015 03:07 PM, Simo Sorce wrote:
>> On Thu, 2015-06-25 at 14:40 -0400, Drew Erny wrote:
>>> Hi, All,
>>>
>>> FreeIPA's most requested feature just got a proposal.
>>>
>>> Check it out at 
>>> http://www.freeipa.org/page/V4/Self_Service_Password_Reset
>>>
>>> I eagerly await your explanations of why this is a terrible idea.
>> Well clearly it is a security nightmare :-D
>> Anyway point 6, it is better to not send any password via email.
>> I see 2/3 options here.
>> 1) Just show the user the new password and a link to go and reset it.
>> 2) Just redirect the user to the Self-Service Password change page and
>> pre-fill the "old password" fields with the newly minted password.
>> 3) Provide a password change with hidden old-password fields straight on
>> the self-service portal.
> I think when I was running this past my peers, they mentioned these 
> concerns, and I must've forgotten to update the draft.
>>
>> While 2 would be somewhjat nice it is probably difficult because of CSRF
>> protections in FreeIPA, and besides if you already have the password you
>> might as well just use it immediately and save the redirect. So I would
>> prefer 3.
> I prefer 3 as well; I'll amend the draft right now.
>>
>> Simo.
>>
>

Sorry, I jumped the gun on replying to this email and forgot to sanity 
check it.

Option 3 won't work, because when anybody who is not the user resets the 
user's password (including admins, IIRC), the user is prompted to reset 
their password upon first login. So, if the user sets a new password 
straight on the self-service portal, they'll have to change it 
immediately anyway, because the self-service portal will be the "user" 
resetting the password, not the actual user.

Option 1, just displaying the password to the user, is probably actually 
best. This way, they copy the password, paste it into the FreeIPA webui 
login form, and then get kicked into the FreeIPA webui password reset 
workflow, instead of setting a new password just to have to change it. 
We can show the password with a big message that says, "USE THIS 
PASSWORD IMMEDIATELY. IT WILL NOT BE AVAILABLE AGAIN."

More information about the Freeipa-devel mailing list