[CWB] Little gap on account created by admin

[Hardie, Andrew]

Hi Andrés,

I am very confused – if you are creating accounts for people, but not telling them the username/password, how do you expect them to log in?

Anyway, onto the main point -- The purpose of the verification email is not to provide the user with a log-in link, it’s to require the system to verify that the email address is real and not mis-typed or entered by someone other than the owner of that email account. If you are sure you’ve entered the correct email address into the form when creating the account, there is no reason to send a verification email.

The idea of having an initial login/reset password link sent after signup is appealing from the POV of usability, but not of security. Such a link would be the equivalent of both username and password (since it contains all that is needed to log in) being sent by possibly-insecure email. By contrast, a verification link email does not contain either a username or password equivalent. The recipient of the email still needs information that only the genuine user will have. It is thus more secure to send by email. A malefactor who intercepts a verification email doesn’t gain the ability to log in as the victim.

Obviously if you are emailing passwords to people this is not a concern for you, (likewise if a server is running on HTTP rather than HTTPS there are much easier hacking-possibilities) but I have learned not to make assumptions about how much security different server admins would like to have…

best

Andrew.

From: cwb-bounces at sslmit.unibo.it [mailto:cwb-bounces at sslmit.unibo.it] On Behalf Of "Andrés Chandía"
Sent: 12 February 2018 16:28
To: cwb at sslmit.unibo.it
Subject: [CWB] Little gap on account created by admin

Hi there, I have created an account for a user and at the "Send verification email? " I have selected "Yes, send a verification email.
The process goes well and if the user click on the activation link it succeeds, but the user is sent to the login dialog where he is asked for the username and password, but these data is not known by the user because the admin was who created the account, who assigned a username and a password. So everytime I've been requested for an account the user has sent me back a mail saying he's not able to access and that he does not (obviously) knows the username or password to access, so I have to reassign a password and communicate to the user by mail the username and password...

Wouldn't be easier that when the user click on the activation link he gets logged in automatically and from then on he would be requested to change/assign a password to his user?

Thanks

_______________________
andrés chandía
[chandia.net]<http://www.chandia.net>[X]<https://twitter.com/chandianet>
Dungupeyem<http://chandia.net/content/dungupeyem> | IECMap<http://chandia.net/content/iecmap> | ISECMap<http://chandia.net/content/isecmap> | NMT<http://chandia.net/content/nmt> | Corlexim<http://corlexim.cl>

administrador de:
Parles.upf<http://parles.upf.edu> | IWCH<https://iwch.upf.edu> | Amind terapia<http://amindterapia.com> | ONG Mapuche koyaktu<http://koyaktumapuche.net> | Nocando<http://parles.upf.edu/llocs/nocando> | IAC<https://iac.upf.edu> | CddZ<https://iac.upf.edu/cddz> | ISAC<https://iac.upf.edu/isac> | CatCg<https://catcg.upf.edu>
P No imprima innecesariamente. ¡Cuide el medio ambiente!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://liste.sslmit.unibo.it/pipermail/cwb/attachments/20180213/e435a3d5/attachment.html>