Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4 | 5 | 6


BDFL - Memuneh
61200 posts

Uber Geek
+1 received by user: 11981

Administrator
Trusted
Geekzone
Lifetime subscriber

:)
2886 posts

Uber Geek
+1 received by user: 92

Subscriber

  Reply # 774687 5-Mar-2013 00:03
Send private message

Lets call it "security awareness day" instead off "oops I flicked the wrong switch!" :p everyone should change their passwords sometime!





2 posts

Wannabe Geek


  Reply # 774697 5-Mar-2013 01:49
Send private message

No problem, Maurice.
These things happen, and seems to me you've dealt with it extremely well. :-)

I must say that I too had some confusion with the entering of username OR email address, but eventually figured something that worked.
Oh, but when asked to enter my "new" PW twice I was really perplexed, I could see only ONE box! Well, I entered a PW there then "Send", hoping it might then ask me for the 2nd version, but no. SOOOO, I entered my PW plus a blank plus my PW again. No joy.
Well, gently seething I tried simply my PW twice back to back - STILL zilch. :(

THAT was about when I noticed the "second" box, away over to the right - not beneath as almost every other site I've seen, AND box outlines quite faint to see on my laptop here.

So, all's well that ends well. :) :)



3 posts

Wannabe Geek


Reply # 774700 5-Mar-2013 03:34
Send private message

I had no problems and used my username

983 posts

Ultimate Geek
+1 received by user: 92


  Reply # 774705 5-Mar-2013 06:01
Send private message

jtbthatsme: Well I just reset my password however I might want to point out it asks for ones username or email address if you enter the username it came up saying not recognised or words to that effect. I just changed it to my email address and did it that way instead.


I got this as well.
username not recognised - or some similar error message.
Tried multiple times ensuring I was entering my username correctly
Entered my email address instead and it worked first time.

49 posts

Geek
+1 received by user: 1


  Reply # 774709 5-Mar-2013 06:41
Send private message

No problems Mauricio.

It happens occasionally, and there was less damage done than when I stuffed up a sql update and set the price to $0.00 on everything my (then) employer sold...  It was a fun hour, or two, restoring from pricing history tables.

14111 posts

Uber Geek
+1 received by user: 2529

Trusted
Subscriber

  Reply # 774715 5-Mar-2013 06:55
Send private message

One of the security principles in the OWASP top ten security vulnerabilities is to reauthenticate a user before allowing a password change. As it is right now if someone leaves their profile logged in someone else could change their password easily. Though I guess it doesn't really matter, it's not like geekzone is internet banking.

I did a review of a website against the OWASP top ten recently, it was an interesting exercise. Worth doing for Geekzone perhaps.




AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer


1992 posts

Uber Geek
+1 received by user: 751

Trusted

  Reply # 774717 5-Mar-2013 06:59
Send private message

I'm curious - from a technical point of view, what did you do to the database to reset everyone's password?

I'm still logged in, so I assume (hope) my actual password hasn't changed in the database.

510 posts

Ultimate Geek
+1 received by user: 2


  Reply # 774722 5-Mar-2013 07:12
Send private message

just letting you know, if you are using chrome you wont be able reset password!
it does not matter whether you enter user name or email you dont get any message!

i had to try in IE and it worked!



BDFL - Memuneh
61200 posts

Uber Geek
+1 received by user: 11981

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 774724 5-Mar-2013 07:16
Send private message

timmmay: I did a review of a website against the OWASP top ten recently, it was an interesting exercise. Worth doing for Geekzone perhaps.


Yes, this would be a higher security than we need, although it could be done anyway.

muppet: I'm curious - from a technical point of view, what did you do to the database to reset everyone's password? 


Technically? I was going to update one password but instead typed the command and pressed the EXEC button before finishing up the WHERE clause. That's not very technical...

muppet: I'm still logged in, so I assume (hope) my actual password hasn't changed in the database.


You're logged in because your browser has a token. The password has been changed, so when you logout you will need to reset it - just go to your profile page now and change it.

sqlpro: just letting you know, if you are using chrome you wont be able reset password!
it does not matter whether you enter user name or email you dont get any message!

i had to try in IE and it worked!


I use Chrome as my default browser all the time and used it to reset my own password. You have to make sure you don't have a password add-on such as LastPass filling the password fields for you.





510 posts

Ultimate Geek
+1 received by user: 2


  Reply # 774725 5-Mar-2013 07:16
Send private message

timmmay: One of the security principles in the OWASP top ten security vulnerabilities is to reauthenticate a user before allowing a password change. As it is right now if someone leaves their profile logged in someone else could change their password easily. Though I guess it doesn't really matter, it's not like geekzone is internet banking.

I did a review of a website against the OWASP top ten recently, it was an interesting exercise. Worth doing for Geekzone perhaps.


atleast in this case, if all passwords are reset , how its going to re-authenticate before allowing new password?

Mad Scientist
18923 posts

Uber Geek
+1 received by user: 2458

Trusted
Lifetime subscriber

  Reply # 774726 5-Mar-2013 07:16
Send private message

if my password still works do i still need to reset it?



BDFL - Memuneh
61200 posts

Uber Geek
+1 received by user: 11981

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 774728 5-Mar-2013 07:20
Send private message

joker97: if my password still works do i still need to reset it?


Your password was changed. If you are logged in with the option to stay logged on your browser has a token. You will need to set a new password when you logout.





563 posts

Ultimate Geek
+1 received by user: 89


  Reply # 774730 5-Mar-2013 07:27
Send private message

muppet: I'm curious - from a technical point of view, what did you do to the database to reset everyone's password? 

freitasm:
Technically? I was going to update one password but instead typed the command and pressed the EXEC button before finishing up the WHERE clause. That's not very technical...


I think he was asking did you;

a) NULL everyone's password so no-one should be able to log on?
b) Replace everyone's password with an identical HASH, in which case everyone could log on with the same password (if they knew what it was)?
or c) Replace everyone's password with a plain-text string (in which case you're storing plain-text passwords)?







BDFL - Memuneh
61200 posts

Uber Geek
+1 received by user: 11981

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 774732 5-Mar-2013 07:42
Send private message

kenkeniff:
muppet: I'm curious - from a technical point of view, what did you do to the database to reset everyone's password? 

freitasm:
Technically? I was going to update one password but instead typed the command and pressed the EXEC button before finishing up the WHERE clause. That's not very technical...


I think he was asking did you;

a) NULL everyone's password so no-one should be able to log on?
b) Replace everyone's password with an identical HASH, in which case everyone could log on with the same password (if they knew what it was)?
or c) Replace everyone's password with a plain-text string (in which case you're storing plain-text passwords)?


a) NULL password

As for c) if I had stored a plain-text string then no one would be able to login either since the password is hashed and the likelihood of an English word matching a hash is pretty low...






1 | 2 | 3 | 4 | 5 | 6
View this topic in a long page with up to 500 replies per page Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.