Closed Bug 291670 Opened 20 years ago Closed 18 years ago

Possible improvement to lost password recovery scheme

Categories

(addons.mozilla.org Graveyard :: Developer Pages, defect, P5)

Product:
addons.mozilla.org Graveyard
Component:
Developer Pages
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: chuonthis, Unassigned)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050422 Firefox/1.0+
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050422 Firefox/1.0+

In relation to bug 291669, ideally, passwords shouldn't be emailed in plaintext.
 However, when using the current password reset feature, an email is sent to the
user with a new random password in plaintext.  I suggest we "borrow"
Amazon.com's recovery scheme.  After entering the email address, a link with a
unique id (possible about 32 characters or more) is emailed to the user (for
example, recover.php?id=123).  When the link is visited, the user can then set
the password to whatever he wants (with the typical enter password twice box). 
The password is then changed.  The id is no longer valid after the password has
been changed or after some period of time has passed.

This scheme provides two benefits.  The first is that a password is not sent in
plaintext (although the ID is...which is just as useful as the new random
password).  However, the second benefit is that the password is not changed
until the user changes it via the link.  That way, a malicious user can't just
enter everyone's email address to reset everyone's password to a random one
(even though they will have received an email with the new password).  Instead,
everyone will receive an email saying that a request for a password reset was
made and to follow the link which the users can then ignore or whatnot.

Reproducible: Always

Steps to Reproduce:
Not security sensitive.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Target Milestone: 1.0 → 2.0
Yeah, we do that with Bugzilla.  We mail them a token, and when they click the
link with the token in it, it lets them set a new password of their choosing.
Group: webtools-security → update-security
I seem to remember an earlier discussion about using the tokens, but that may
have just been on IRC.
Group: update-security
Mass change - bugs to be read / (re)confirmed.
Assignee: Bugzilla-alanjstrBugs → nobody
Priority: -- → P5
AMO bugspam. Correcting QA contacts on OLD bugs (mozilla.update@update.bugs)

-> Correct QA contact (developers@add-ons.bugs)

Filtermeplzkthx
QA Contact: mozilla.update → developers
Target Milestone: 2.0 → ---
Actually I didn't know about this bug, but that's exactly the scheme I implemented for Remora.

Therefore marking this fixed.
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.