Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4 | 5 | 6


BDFL - Memuneh
66494 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  #774686 4-Mar-2013 23:52
Send private message

That'd be handy too...





Human
2972 posts

Uber Geek

Subscriber

  #774687 5-Mar-2013 00:03
Send private message

Lets call it "security awareness day" instead off "oops I flicked the wrong switch!" :p everyone should change their passwords sometime!





 
 
 
 


2 posts

Wannabe Geek


  #774697 5-Mar-2013 01:49
Send private message

No problem, Maurice.
These things happen, and seems to me you've dealt with it extremely well. :-)

I must say that I too had some confusion with the entering of username OR email address, but eventually figured something that worked.
Oh, but when asked to enter my "new" PW twice I was really perplexed, I could see only ONE box! Well, I entered a PW there then "Send", hoping it might then ask me for the 2nd version, but no. SOOOO, I entered my PW plus a blank plus my PW again. No joy.
Well, gently seething I tried simply my PW twice back to back - STILL zilch. :(

THAT was about when I noticed the "second" box, away over to the right - not beneath as almost every other site I've seen, AND box outlines quite faint to see on my laptop here.

So, all's well that ends well. :) :)



3 posts

Wannabe Geek


#774700 5-Mar-2013 03:34
Send private message

I had no problems and used my username

1053 posts

Uber Geek


  #774705 5-Mar-2013 06:01
Send private message

jtbthatsme: Well I just reset my password however I might want to point out it asks for ones username or email address if you enter the username it came up saying not recognised or words to that effect. I just changed it to my email address and did it that way instead.


I got this as well.
username not recognised - or some similar error message.
Tried multiple times ensuring I was entering my username correctly
Entered my email address instead and it worked first time.

49 posts

Geek


  #774709 5-Mar-2013 06:41
Send private message

No problems Mauricio.

It happens occasionally, and there was less damage done than when I stuffed up a sql update and set the price to $0.00 on everything my (then) employer sold...  It was a fun hour, or two, restoring from pricing history tables.

15807 posts

Uber Geek

Trusted
Subscriber

  #774715 5-Mar-2013 06:55
Send private message

One of the security principles in the OWASP top ten security vulnerabilities is to reauthenticate a user before allowing a password change. As it is right now if someone leaves their profile logged in someone else could change their password easily. Though I guess it doesn't really matter, it's not like geekzone is internet banking.

I did a review of a website against the OWASP top ten recently, it was an interesting exercise. Worth doing for Geekzone perhaps.

 
 
 
 


2210 posts

Uber Geek

Trusted

  #774717 5-Mar-2013 06:59
Send private message

I'm curious - from a technical point of view, what did you do to the database to reset everyone's password?

I'm still logged in, so I assume (hope) my actual password hasn't changed in the database.

515 posts

Ultimate Geek


  #774722 5-Mar-2013 07:12
Send private message

just letting you know, if you are using chrome you wont be able reset password!
it does not matter whether you enter user name or email you dont get any message!

i had to try in IE and it worked!



BDFL - Memuneh
66494 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  #774724 5-Mar-2013 07:16
Send private message

timmmay: I did a review of a website against the OWASP top ten recently, it was an interesting exercise. Worth doing for Geekzone perhaps.


Yes, this would be a higher security than we need, although it could be done anyway.

muppet: I'm curious - from a technical point of view, what did you do to the database to reset everyone's password? 


Technically? I was going to update one password but instead typed the command and pressed the EXEC button before finishing up the WHERE clause. That's not very technical...

muppet: I'm still logged in, so I assume (hope) my actual password hasn't changed in the database.


You're logged in because your browser has a token. The password has been changed, so when you logout you will need to reset it - just go to your profile page now and change it.

sqlpro: just letting you know, if you are using chrome you wont be able reset password!
it does not matter whether you enter user name or email you dont get any message!

i had to try in IE and it worked!


I use Chrome as my default browser all the time and used it to reset my own password. You have to make sure you don't have a password add-on such as LastPass filling the password fields for you.





515 posts

Ultimate Geek


  #774725 5-Mar-2013 07:16
Send private message

timmmay: One of the security principles in the OWASP top ten security vulnerabilities is to reauthenticate a user before allowing a password change. As it is right now if someone leaves their profile logged in someone else could change their password easily. Though I guess it doesn't really matter, it's not like geekzone is internet banking.

I did a review of a website against the OWASP top ten recently, it was an interesting exercise. Worth doing for Geekzone perhaps.


atleast in this case, if all passwords are reset , how its going to re-authenticate before allowing new password?

Mad Scientist
21885 posts

Uber Geek

Trusted
Lifetime subscriber

  #774726 5-Mar-2013 07:16
Send private message

if my password still works do i still need to reset it?




Involuntary autocorrect in operation on mobile device. Apologies in advance.




BDFL - Memuneh
66494 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  #774728 5-Mar-2013 07:20
Send private message

joker97: if my password still works do i still need to reset it?


Your password was changed. If you are logged in with the option to stay logged on your browser has a token. You will need to set a new password when you logout.





586 posts

Ultimate Geek


  #774730 5-Mar-2013 07:27
Send private message

muppet: I'm curious - from a technical point of view, what did you do to the database to reset everyone's password? 

freitasm:
Technically? I was going to update one password but instead typed the command and pressed the EXEC button before finishing up the WHERE clause. That's not very technical...


I think he was asking did you;

a) NULL everyone's password so no-one should be able to log on?
b) Replace everyone's password with an identical HASH, in which case everyone could log on with the same password (if they knew what it was)?
or c) Replace everyone's password with a plain-text string (in which case you're storing plain-text passwords)?



BDFL - Memuneh
66494 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  #774732 5-Mar-2013 07:42
Send private message

kenkeniff:
muppet: I'm curious - from a technical point of view, what did you do to the database to reset everyone's password? 

freitasm:
Technically? I was going to update one password but instead typed the command and pressed the EXEC button before finishing up the WHERE clause. That's not very technical...


I think he was asking did you;

a) NULL everyone's password so no-one should be able to log on?
b) Replace everyone's password with an identical HASH, in which case everyone could log on with the same password (if they knew what it was)?
or c) Replace everyone's password with a plain-text string (in which case you're storing plain-text passwords)?


a) NULL password

As for c) if I had stored a plain-text string then no one would be able to login either since the password is hashed and the likelihood of an English word matching a hash is pretty low...






1 | 2 | 3 | 4 | 5 | 6
View this topic in a long page with up to 500 replies per page Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Vodafone and Imperial College London invite smartphone users to help fight diseases
Posted 9-Apr-2020 11:09


Unisys Always-On Access Powered by Stealth provides fast, encrypted remote access for workers
Posted 9-Apr-2020 10:00


Intel introduces 10th Gen Intel Core H-series for mobile devices
Posted 2-Apr-2020 21:09


COVID-19: new charitable initiative to fund remote monitoring for at-risk patients
Posted 2-Apr-2020 11:07


Huawei introduces the P40 Series of Android-based smartphones
Posted 31-Mar-2020 17:03


Samsung Galaxy Z Flip now available for pre-order in New Zealand
Posted 31-Mar-2020 16:39


New online learning platform for kids stuck at home during COVID-19 lockdown
Posted 26-Mar-2020 21:35


New 5G Nokia smartphone unveiled as portfolio expands
Posted 26-Mar-2020 17:11


D-Link ANZ launches wireless AC1200 4G LTE router
Posted 26-Mar-2020 16:32


Ring introduces two new video doorbells and new pre-roll technology
Posted 17-Mar-2020 16:59


OPPO uncovers flagship Find X2 Pro smartphone
Posted 17-Mar-2020 16:54


D-Link COVR-2202 mesh Wi-Fi system now protected by McAfee
Posted 17-Mar-2020 16:00


Spark Sport opens its platform up to all New Zealanders at no charge
Posted 17-Mar-2020 10:04


Spark launches 5G Starter Fund
Posted 8-Mar-2020 19:19


TRENDnet launches high-performance WiFi Mesh Router System
Posted 5-Mar-2020 08:48



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.