Open
Bug 517473
Opened 15 years ago
Updated 12 years ago
Add support for a security question that must be answered before users can reset/change their passwords
Categories
(Bugzilla :: User Accounts, enhancement, P4)
Tracking
()
NEW
People
(Reporter: reed, Unassigned)
Details
(Keywords: sec-want, Whiteboard: [sg:want][wanted-bmo])
It's way too easy right now just to hack somebody's e-mail account and request a password reset on the person's bugzilla account in order to get access to it. Bugzilla should support some type of security question that must be answered before password reset (or some other major change thing such as password reset or e-mail address change) is permitted.
Updated•15 years ago
|
Priority: -- → P4
Summary: Add support for a security question that must be answered before various operations are permitted → Add support for a security question that must be answered before users can reset their passwords
Comment 1•15 years ago
|
||
It's personaly WONTFIX to me, not even P4. I don't see how you could hack someone else's account and get access to it.
Reporter | ||
Comment 2•15 years ago
|
||
(In reply to comment #1)
> It's personaly WONTFIX to me, not even P4. I don't see how you could hack
> someone else's account and get access to it.
All it requires is getting access to somebody's e-mail whether directly or by interception. That's generally not that difficult, especially if it's far easier to brute force somebody's e-mail account than it is Bugzilla (due to password brute force protection).
Summary: Add support for a security question that must be answered before users can reset their passwords → Add support for a security question that must be answered before users can reset/change their passwords
Whiteboard: [sg:want][wanted-bmo]
Comment 3•15 years ago
|
||
And how the feature you are suggesting would help?
Reporter | ||
Comment 4•15 years ago
|
||
(In reply to comment #3)
> And how the feature you are suggesting would help?
Because the attacker will have to know the answer to the security question in order to reset the user's password in order to gain access to the user's bugzilla account.
Comment 5•12 years ago
|
||
(In reply to Reed Loden [:reed] from comment #4)
> Because the attacker will have to know the answer to the security question
In most (all?) systems I know which use a security question, this is only needed when the user cannot remember his password. I think I have never been able to remember the answer to my security questions, because I assume I will never need them. Forcing the user to answer the security question when he already knows his password is really painful, IMO. Not something I want in the core code. Feel free to write an extension for it (and how do you do it for existing accounts?)
You need to log in
before you can comment on or make changes to this bug.
Description
•