From: "Wang, Kuiying" <kuiying.wang@intel.com>
To: OpenBMC Maillist <openbmc@lists.ozlabs.org>
Cc: "Li, Yong B" <yong.b.li@intel.com>,
"Jia, Chunhui" <chunhui.jia@intel.com>
Subject: BMCWeb changes login password
Date: Fri, 30 Aug 2019 07:18:28 +0000 [thread overview]
Message-ID: <959CAFA1E282D14FB901BE9A7BF4E7724E51562F@shsmsx102.ccr.corp.intel.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 2294 bytes --]
Currently only administrator is allowed to add user/modify user/change password.
Administrator has the permission to change other users password or delete it directly.
Administrator no need to know the old password of other users.
For administrator to change itself password thing, still no need the old password, because administrator is already login a session.
So we don’t need to add “input field to enter the old password”.
But there is an open for multiple administrator user supporting, currently administrator user could add more administrator level users.
And anyone of the administrators login, he could modify other administrator users like change password or delete it directly.
I think it is a bit security issue. Have to restrict multiple administrator user or do not allow administrator to modify other administrator users.
Thanks,
Kwin.
>
> On 8/28/19 3:20 AM, George Liu (刘锡伟) wrote:
> >
> > I want to discuss with everyone about the solution to change the login
> > password.
> >
> > In the WEB, When the user needs to change the login password, the
> > current solution is to directly enter the new password twice to change
> > successfully, but the old password is not verified. the advantage is
> > that we can use the new password through this solution if we forget
> > the old password. but for the security reasons, I think should
> > verifying the old password instead of directly entering the new
> > password before change login password.
> >
> > if everyone have any ideas or experience, please share, thanks!
> >
> Are you referring to the phosphor-webui design mentioned here?:
> https://github.com/ibm-openbmc/dev/issues/1048
>
> OWASP has some recommendations:
>
> https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#require-re-authentication-for-sensitive-features
>
> https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html#step-4-allow-user-to-change-password-in-the-existing-session
Thanks, the password change was mentioned in step 4.
I think should add an input field to enter the old password and verify it
when the form is submitted(phosphor-webui).
>
>
> - Joseph
>
>
[-- Attachment #2: Type: text/html, Size: 7681 bytes --]
next reply other threads:[~2019-08-30 7:18 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-30 7:18 Wang, Kuiying [this message]
2019-09-04 2:06 ` BMCWeb changes login password Joseph Reynolds
2019-09-04 14:57 ` Alexander Tereschenko
2019-09-04 22:28 ` Joseph Reynolds
-- strict thread matches above, loose matches on Subject: below --
2019-08-28 8:20 George Liu (刘锡伟)
2019-08-28 19:48 ` Joseph Reynolds
2019-08-29 7:52 ` George Liu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=959CAFA1E282D14FB901BE9A7BF4E7724E51562F@shsmsx102.ccr.corp.intel.com \
--to=kuiying.wang@intel.com \
--cc=chunhui.jia@intel.com \
--cc=openbmc@lists.ozlabs.org \
--cc=yong.b.li@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).