#1
  1. No Profile Picture
    Contributing User
    Devshed Intermediate (1500 - 1999 posts)

    Join Date
    Sep 2006
    Posts
    1,984
    Rep Power
    533

    Password, emails, users, and administrators


    So, I have a site which which has usernames and passwords, as well as one or more administrators. I have several scenarios what I would appreciate your opinions.

    1. User changes his/her password. Require old password to be submitted with the request to change. In addition to preventing someone from physically going to their PC and changing the password, is this also done to prevent changes should sessions have been hijacked? If sessions has been hijacked, isn't security already compromised?
    2. User changes his/her email. Also require old password to be entered so that imposter doesn't change email and request a new password. Thank you Jacques1
    3. Administrator changes user's password. Don't allow them to do so, but instead only allow the administrator to reset the password and have it set to the user's email address.
    4. Administrator changes user's email. If you allow, then administrator has access to user's password by changing their email to their own and resetting the password, and you might as well allow administrators to directly set users password (#3). If you don't allow, then if user forgets their password and no longer has access to the email, then there is no way to recover the account.


    Thank you
  2. #2
  3. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Originally Posted by NotionCommotion
    User changes his/her password. Require old password to be submitted with the request to change. In addition to preventing someone from physically going to their PC and changing the password, is this also done to prevent changes should sessions have been hijacked?
    Yes. If you hijack a session, you only have temporary access to the account at first. When the session expires (which it should) or the user clicks on the "logout" button, you're out.

    But if the website lets you change the password or email address, you can gain full control of the account, because you can set the login data yourself and come back anytime.

    As to the administrators:

    If you don't trust your administrators, they shouldn't be administrators in the first place. Changing email addresses, resetting passwords etc. is pretty much the purpose of an admin, isn't it? So they simply need those privileges.

    But it does make sense to add extra security to the admin accounts. For example, they should be required to use a very strong password. Every critical action (like changing user credentials) should be confirmed with their own password in addition to the anti-CSRF token. And of course you need to use HTTPS on every page.

    Comments on this post

    • NotionCommotion agrees : Good points!
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Intermediate (1500 - 1999 posts)

    Join Date
    Sep 2006
    Posts
    1,984
    Rep Power
    533
    If you don't trust your administrators, they shouldn't be administrators in the first place. ... resetting passwords is pretty much the purpose of an admin, isn't it?
    Part of my question was why not allow administrators to straight off change passwords and not just reset them. After more thought, I agree that it makes sense as one shouldn't be unduly tempted to do the wrong thing.

    But it does make sense to add extra security to the admin accounts.
    But each thing you impose reduced someone's (albeit an administrator's) UI. I guess risk/benefit must be analyzed for each.
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Dec 2004
    Posts
    2,985
    Rep Power
    375
    I think because an account belongs to a user so I dont think that the admin should really "know" the password as you say, some people might get curious and log into different accounts etc.

    I dont think what he suggested reduce's UI. You could also just not ask them to enter their password for trivial things. I think adding security depends on the nature of your system/website i.e. and the risks involved
  8. #5
  9. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Originally Posted by NotionCommotion
    After more thought, I agree that it makes sense as one shouldn't be unduly tempted to do the wrong thing.
    Admins should be able to manually set the password of a user, because this is the quickest and sometimes the only way of fixing typical authentication issues ("I registered, but I didn't receive an email", "I no longer have access to my email account", ...).

    Again: If you don't trust somebody and expect him/her to abuse those features, then this person shouldn't be admin in the first place.

    An admin is supposed to have full control of the application, which includes setting passwords, email addresses etc. If you mean accounts with less privileges, you shouldn't call them "admins" but rather "moderators", "maintainers" or whatever.



    Originally Posted by NotionCommotion
    But each thing you impose reduced someone's (albeit an administrator's) UI. I guess risk/benefit must be analyzed for each.
    No. When it comes to admin accounts, security is clearly more important than convenience (which doesn't mean that the UI should be unusable). An admin may very well be expected to do extra work like installing a password management tool. It's their job.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  10. #6
  11. No Profile Picture
    Contributing User
    Devshed Intermediate (1500 - 1999 posts)

    Join Date
    Sep 2006
    Posts
    1,984
    Rep Power
    533
    No. When it comes to admin accounts, security is clearly more important than convenience
    Maybe I should have better explained what my "administrators" are.

    My application will create micro-sites for small groups to allow them to manage their sales forecast. The average number of members for each site will range from 1 to 20, and all members will personally know each other. The administrator for each site will typically be the individual who originally signed up for the site. The administrator can promote other members to administrator status, and other administrator's can demote another administrator to normal status.

    So, yes, security is important, but I am still struggling on the best way to implement it without impacting the working efficiency of the group.

    I think I will allow normal users to change their own email addresses or passwords without re-entering their password since an imposter can only gain access to a normal account which they can easily call up their administrator friend "Bob" and have him change back. I will also allow administrators to be able to change another normal user's email or password without re-entering their password, but will auto-generate an email to the old email address saying "Bob changed your email, and get on his case if he shouldn't have done so." For that matter, I think I will auto-generate a similar email even when a user modifies their own account. Requiring administrator's to re-enter their password when they change their own email or password is probably a good idea, and I will most likely implement.EDIT. In a nut shell, add the following two rules:
    • Whenever a user's email, password, or access level is changed or a user is deleted, generate an email to the original user's email address informing them of the change.
    • Whenever an administrator changes his own password or email or changes another user's access to "administrator", require them to re-enter their old password.


    Giving the nature of my application, do you have any other recommendations?
    Last edited by NotionCommotion; May 1st, 2013 at 05:43 AM.

IMN logo majestic logo threadwatch logo seochat tools logo