Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4 | 5 | 6
:)
2876 posts

Uber Geek
+1 received by user: 85

Subscriber

  Reply # 774687 5-Mar-2013 00:03
Send private message

Lets call it "security awareness day" instead off "oops I flicked the wrong switch!" :p everyone should change their passwords sometime!





2 posts

Wannabe Geek


  Reply # 774697 5-Mar-2013 01:49
Send private message

No problem, Maurice.
These things happen, and seems to me you've dealt with it extremely well. :-)

I must say that I too had some confusion with the entering of username OR email address, but eventually figured something that worked.
Oh, but when asked to enter my "new" PW twice I was really perplexed, I could see only ONE box! Well, I entered a PW there then "Send", hoping it might then ask me for the 2nd version, but no. SOOOO, I entered my PW plus a blank plus my PW again. No joy.
Well, gently seething I tried simply my PW twice back to back - STILL zilch. :(

THAT was about when I noticed the "second" box, away over to the right - not beneath as almost every other site I've seen, AND box outlines quite faint to see on my laptop here.

So, all's well that ends well. :) :)



3 posts

Wannabe Geek


Reply # 774700 5-Mar-2013 03:34
Send private message

I had no problems and used my username

975 posts

Ultimate Geek
+1 received by user: 91


  Reply # 774705 5-Mar-2013 06:01
Send private message

jtbthatsme: Well I just reset my password however I might want to point out it asks for ones username or email address if you enter the username it came up saying not recognised or words to that effect. I just changed it to my email address and did it that way instead.


I got this as well.
username not recognised - or some similar error message.
Tried multiple times ensuring I was entering my username correctly
Entered my email address instead and it worked first time.

49 posts

Geek
+1 received by user: 1


  Reply # 774709 5-Mar-2013 06:41
Send private message

No problems Mauricio.

It happens occasionally, and there was less damage done than when I stuffed up a sql update and set the price to $0.00 on everything my (then) employer sold...  It was a fun hour, or two, restoring from pricing history tables.

13918 posts

Uber Geek
+1 received by user: 2471

Trusted
Subscriber

  Reply # 774715 5-Mar-2013 06:55
Send private message

One of the security principles in the OWASP top ten security vulnerabilities is to reauthenticate a user before allowing a password change. As it is right now if someone leaves their profile logged in someone else could change their password easily. Though I guess it doesn't really matter, it's not like geekzone is internet banking.

I did a review of a website against the OWASP top ten recently, it was an interesting exercise. Worth doing for Geekzone perhaps.




AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer


1952 posts

Uber Geek
+1 received by user: 723

Trusted

  Reply # 774717 5-Mar-2013 06:59
Send private message

I'm curious - from a technical point of view, what did you do to the database to reset everyone's password?

I'm still logged in, so I assume (hope) my actual password hasn't changed in the database.

510 posts

Ultimate Geek
+1 received by user: 2


  Reply # 774722 5-Mar-2013 07:12
Send private message

just letting you know, if you are using chrome you wont be able reset password!
it does not matter whether you enter user name or email you dont get any message!

i had to try in IE and it worked!



BDFL - Memuneh
60605 posts

Uber Geek
+1 received by user: 11537

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 774724 5-Mar-2013 07:16
Send private message

timmmay: I did a review of a website against the OWASP top ten recently, it was an interesting exercise. Worth doing for Geekzone perhaps.


Yes, this would be a higher security than we need, although it could be done anyway.

muppet: I'm curious - from a technical point of view, what did you do to the database to reset everyone's password? 


Technically? I was going to update one password but instead typed the command and pressed the EXEC button before finishing up the WHERE clause. That's not very technical...

muppet: I'm still logged in, so I assume (hope) my actual password hasn't changed in the database.


You're logged in because your browser has a token. The password has been changed, so when you logout you will need to reset it - just go to your profile page now and change it.

sqlpro: just letting you know, if you are using chrome you wont be able reset password!
it does not matter whether you enter user name or email you dont get any message!

i had to try in IE and it worked!


I use Chrome as my default browser all the time and used it to reset my own password. You have to make sure you don't have a password add-on such as LastPass filling the password fields for you.





510 posts

Ultimate Geek
+1 received by user: 2


  Reply # 774725 5-Mar-2013 07:16
Send private message

timmmay: One of the security principles in the OWASP top ten security vulnerabilities is to reauthenticate a user before allowing a password change. As it is right now if someone leaves their profile logged in someone else could change their password easily. Though I guess it doesn't really matter, it's not like geekzone is internet banking.

I did a review of a website against the OWASP top ten recently, it was an interesting exercise. Worth doing for Geekzone perhaps.


atleast in this case, if all passwords are reset , how its going to re-authenticate before allowing new password?

Mad Scientist
18454 posts

Uber Geek
+1 received by user: 2339

Trusted
Lifetime subscriber

  Reply # 774726 5-Mar-2013 07:16
Send private message

if my password still works do i still need to reset it?



BDFL - Memuneh
60605 posts

Uber Geek
+1 received by user: 11537

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 774728 5-Mar-2013 07:20
Send private message

joker97: if my password still works do i still need to reset it?


Your password was changed. If you are logged in with the option to stay logged on your browser has a token. You will need to set a new password when you logout.





563 posts

Ultimate Geek
+1 received by user: 89


  Reply # 774730 5-Mar-2013 07:27
Send private message

muppet: I'm curious - from a technical point of view, what did you do to the database to reset everyone's password? 

freitasm:
Technically? I was going to update one password but instead typed the command and pressed the EXEC button before finishing up the WHERE clause. That's not very technical...


I think he was asking did you;

a) NULL everyone's password so no-one should be able to log on?
b) Replace everyone's password with an identical HASH, in which case everyone could log on with the same password (if they knew what it was)?
or c) Replace everyone's password with a plain-text string (in which case you're storing plain-text passwords)?







BDFL - Memuneh
60605 posts

Uber Geek
+1 received by user: 11537

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 774732 5-Mar-2013 07:42
Send private message

kenkeniff:
muppet: I'm curious - from a technical point of view, what did you do to the database to reset everyone's password? 

freitasm:
Technically? I was going to update one password but instead typed the command and pressed the EXEC button before finishing up the WHERE clause. That's not very technical...


I think he was asking did you;

a) NULL everyone's password so no-one should be able to log on?
b) Replace everyone's password with an identical HASH, in which case everyone could log on with the same password (if they knew what it was)?
or c) Replace everyone's password with a plain-text string (in which case you're storing plain-text passwords)?


a) NULL password

As for c) if I had stored a plain-text string then no one would be able to login either since the password is hashed and the likelihood of an English word matching a hash is pretty low...






1 | 2 | 3 | 4 | 5 | 6
View this topic in a long page with up to 500 replies per page Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

N4L helping TAKA Trust bridge the digital divide for Lower Hutt students
Posted 18-Jun-2018 13:08


Winners Announced for 2018 CIO Awards
Posted 18-Jun-2018 13:03


Logitech Rally sets new standard for USB-connected video conference cameras
Posted 18-Jun-2018 09:27


Russell Stanners steps down as Vodafone NZ CEO
Posted 12-Jun-2018 09:13


Intergen recognised as 2018 Microsoft Country Partner of the Year for New Zealand
Posted 12-Jun-2018 08:00


Finalists Announced For Microsoft NZ Partner Awards
Posted 6-Jun-2018 15:12


Vocus Group and Vodafone announce joint venture to accelerate fibre innovation
Posted 5-Jun-2018 10:52


Kogan.com to launch Kogan Mobile in New Zealand
Posted 4-Jun-2018 14:34


Enable doubles fibre broadband speeds for its most popular wholesale service in Christchurch
Posted 2-Jun-2018 20:07


All or Nothing: New Zealand All Blacks arrives on Amazon Prime Video
Posted 2-Jun-2018 16:21


Innovation Grant, High Tech Awards and new USA office for Kiwi tech company SwipedOn
Posted 1-Jun-2018 20:54


Commerce Commission warns Apple for misleading consumers about their rights
Posted 30-May-2018 13:15


IBM leads Call for Code to use cloud, data, AI, blockchain for natural disaster relief
Posted 25-May-2018 14:12


New FUJIFILM X-T100 aims to do better job than smartphones
Posted 24-May-2018 20:17


Stuff takes 100% ownership of Stuff Fibre
Posted 24-May-2018 19:41



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.