[CWB] Little gap on account created by admin

"Andrés Chandía" andres at chandia.net
Tue Feb 13 20:16:00 CET 2018 


Ok, thanks for the explanation, I'm used to a system where the verification mail is a one time
login, so at that moment you assign the password you preffer.... but the way you explain
CQPWeb works it is fine for me, now that I have that clear

Thanks and sorry!


El Mar, 13 de Febrero de 2018, 19:00, Hardie, Andrew escribió:
  



Hi
Andrés,


I
am very confused – if you are creating accounts for people, but not telling
them the username/password, how do you expect them to
  log in? 


Anyway,
onto the main point -- The purpose of the verification email is not to provide the user with a
log-in link, it’s to require
  the system to verify that the email
address is real and not mis-typed or entered by someone other than the owner of that email
account. If you are sure you’ve entered the correct email address into the
form when creating the account, there is no reason to
  send a verification email.



The
idea of having an initial login/reset password link sent after signup is appealing from the
POV of usability, but not of security.
  Such a link would be the equivalent of both
username and password (since it contains all that is needed to log in) being sent by
possibly-insecure email. By contrast, a verification link email does not contain either a
username or password equivalent. The
  recipient of the email still needs information
that only the genuine user will have. It is thus more secure to send by email. A malefactor
who intercepts a verification email doesn’t gain the ability to log in as
the victim.
 


Obviously
if you are emailing passwords to people this is not a concern for you, (likewise if a server
is running on HTTP rather than
  HTTPS there are much easier hacking-possibilities) but I
have learned not to make assumptions about how much security different server admins would
like to have…


best
 


Andrew.


From:
cwb-bounces at sslmit.unibo.it [mailto:cwb-bounces at sslmit.unibo.it]
 On Behalf Of
"Andrés Chandía"
 Sent: 12
February 2018 16:28
 To: cwb at sslmit.unibo.it

Subject: [CWB] Little gap on account created by admin
 
Hi there, I have created an account for a user and at the "Send
verification email? " I have selected "Yes, send a verification email.
 The
process goes well and if the user click on the activation link it succeeds, but the user is
sent to the login dialog where he is asked for the username and password, but these data is
not known by the user because the admin was who created the account,
  who assigned a
username and a password. So everytime I've been requested for an account the user has sent me
back a mail saying he's not able to access and that he does not (obviously) knows the username
or password to access, so I have to reassign a password
  and communicate to the user by
mail the username and password...
 
 Wouldn't be easier that when the user click on
the activation link he gets logged in automatically and from then on he would be requested to
change/assign a password to his user?
 
 Thanks
 

_______________________
 andrés chandía
 
 Dungupeyem |
 
 IECMap |

 ISECMap | 
 NMT | 
 Corlexim
 
 administrador de:
 Parles.upf |
 
 IWCH | 
 Amind terapia | 
 ONG Mapuche koyaktu
| 
 Nocando | 
 IAC | 
 CddZ | 
 ISAC | 
 CatCg
 P 
 No imprima innecesariamente. ¡Cuide
el medio ambiente! 


 

 
   


_______________________

            andrés
chandía
 
Dungupeyem | IECMap | ISECMap | NMT | Corlexim

administrador de:
Parles.upf | IWCH | Amind terapia | ONG
Mapuche koyaktu | Nocando | IAC | CddZ | ISAC | CatCg
P No imprima innecesariamente. ¡Cuide el
medio ambiente!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://liste.sslmit.unibo.it/pipermail/cwb/attachments/20180213/2358134b/attachment-0001.html>

More information about the CWB mailing list