Beefy Boxes and Bandwidth Generously Provided by pair Networks
No such thing as a small change
 
PerlMonks  

Requiring old password in order to change your password

by tye (Sage)
on Dec 30, 2010 at 22:02 UTC ( #879874=monkdiscuss: print w/replies, xml ) Need Help??

As a tiny improvement in security and as a tiny step along the path of much bigger improvements in security, I will be changing the site so that you will be required to enter your old password in order to change your password.

I didn't want to just spring this change without warning, as there are probably quite a few people who have forgotten their PerlMonks password because their browser cookie is enough. But, in reality, this improvement shouldn't present much of a problem even for such people.

If you don't remember your password, then just make sure your e-mail address is up-to-date and request a "I forgot my password" e-mail (What's my password?). Yes, work has already been done to change that to send you a URL that gives you temporary access to change your password without knowing your current password rather than just e-mailing your current password, unencrypted, but that work has not yet been deployed (I hope to have it deployed fairly soon).

- tye        

  • Comment on Requiring old password in order to change your password

Replies are listed 'Best First'.
Re: Requiring old password in order to change your password
by Xilman (Friar) on Dec 30, 2010 at 22:48 UTC

    Sounds good to me and I'm looking forward to the temporary URL solution

    Last year I ran into a problem where not only had I forgotten my password, the on-file email address had evaporated five years previously. I wanted to register for a conference in a series for which I had previously been sponsored by my then employer. Fortunately, the conference organizers had kept my previous registration details and I was able to provide them with enough information that they could check my identity to their satisfaction. The traditional way of doing that, of course, is to provide a secondary key to the account, triggered by the asking of a subsidiary question. The question and its answer are kept on-file by the supplier of the account. Will this mechanism be used here, or are you planning some other solution to guard against email address expiry?

    Paul

    (Minor edits to fix a spelling mistak and remove a superfluous word word)

      I wasn't planning on implementing the annoying multiple "What was the mascot of the first car where your favorite pet's maiden name's favorite sport first met their favorite superhero?" questions.

      This is a programming site so we may be able to go with some more high-tech solutions. For example, let you paste a public key to store in your account so you can save your private key whatever places you like with as strong or weak of a pass-phrase as you like and get access to change your password by correctly signing a random challenge message. Though, I'm disappointed at how non-obvious it is which commands to use to sign a message with a private key. So that might not be viable enough, sadly.1

      1 I'd love to set up a virtual machine with sshd running on it. The "I forgot my password" page would prep the machine for your account and give you it's current IP address and port number. Just log in to that machine with your user_id as login name using your private key and you'd be prompted to enter your new password. When it comes to things that you can do with a private key, using ssh seems the most widely and easily accessible. :)

      I'd also really like to be able to have two e-mails. I've many times experienced losing access to an e-mail account suddenly and unexpectedly (changing jobs is the most common example but I've also had my private e-mail service provider just go out of business suddenly and unexpectedly) or just didn't realize that I was using that old e-mail address. Having a second e-mail address registered greatly reduces the risk of me ending up with no accessible e-mail address when I realize that I need it.

      There are two competing concerns about these backups to your account password: 1) Making it possible to get back into your account despite you having forgotten your password (the "experts" tell you to not write it down, after all) and having lost access to other items (and not requiring human administrator intervention), 2) Keeping it hard for somebody to steal your account from you and also possible for you to steal it back.

      For example, (2) inspired somebody to suggest that you should be required to enter your (old) password to be able to change your e-mail address. But I think that thwarts a too-common case of (1) (at least for now). Instead, I'd like changing the e-mail to trigger an e-mail to the old address that includes a URL that can be used to regain control of the account for a limited span of time. But that presents a problem after somebody has hijacked your account and changed the e-mail address when you try to regain control and change the e-mail back.

      - tye        

        It might also help if the gods issued official policies and recommendations about how they would treat accounts with lost passwords. So far, we only have evidences from individual cases instead of general statements in the FAQ.

        I wasn't planning on implementing the annoying multiple "What was the mascot of the first car where your favorite pet's maiden name's favorite sport first met their favorite superhero?" questions.

        I wasn't suggesting you should. My suggestion is that you keep two other items on file: a string chosen by the user which is displayed on the account recovery page and another string which is compared against what the user enters after the first string is displayed. The first string would most likely be a question but need not. If I want my question to be "What is your mother's maiden name?" then it's my choice to have a response which is probably easily guessable. If my first statement is "The universe is" and the expected response is "purely 42itous" then, again, it's my choice to have something which I may be unlikely to remember five years later. It makes no difference to you whether either or both strings are meaningful and/or relevant, all you have to do is display one and check the other.

        I hope this clarifies my proposal.

Re: Requiring old password in order to change your password
by andreas1234567 (Vicar) on Jan 03, 2011 at 09:57 UTC
    the path of much bigger improvements in security
    Is HTTPS support on the list?
    --
    No matter how great and destructive your problems may seem now, remember, you've probably only seen the tip of them. [1]

      Only for when logging in, yes.

      - tye        

        Thanks, that's one step in the right direction. Additionally, it would be great to consider (optionally) allowing https for all communications (not just logins) in your on-going security review of the site. Some claim SSL/TLS is not computationally expensive any more but that is of course subject to debate.

        Https everywhere is getting a lot of traction and the number of sites that supports https "all the way" is large and growing. It would be great to add perlmonks.org to the list:

        $ ls https-everywhere/src/chrome/content/rules/*.xml | wc -l 426
        --
        No matter how great and destructive your problems may seem now, remember, you've probably only seen the tip of them. [1]
Re: Requiring old password in order to change your password
by RedElk (Hermit) on Dec 30, 2010 at 23:57 UTC
    Sounds good to me...

    Ditto.
    Thanks for the heads up.

Re: Requiring old password in order to change your password
by breadwild (Initiate) on Sep 15, 2016 at 13:22 UTC
    The password I had for years is not working and apparently my PM email address is no longer valid. What can I do? I created a new account just so I could start this recoverd process. I am longtime user: bradcathey Thanks.

      Your account was disabled (by nulling the password field) because yours was one of the passwords leaked in the "perlmonks hack" of May, 2009. In reviewing the list of compromised accounts, I discovered about a dozen which still had their passwords unchanged since the leak. Yours was one. Seems you ignored all the admonitions to change your password at the time!

      I'll re-enable your account, by filling in a temporary password. You should then use What's my password? to retrieve it; and then, once you've logged in, set it to something new. And please exercise better password hygiene. :-)

        Points taken. It will be good to be back in.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: monkdiscuss [id://879874]
Approved by ikegami
Front-paged by ikegami
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others about the Monastery: (7)
As of 2020-07-02 12:25 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found

    Notices?