
<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Joseph Reynolds <<a href="mailto:jrey@linux.ibm.com">jrey@linux.ibm.com</a>> 于2019年8月29日周四 上午3:48写道：<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br>

On 8/28/19 3:20 AM, George Liu (刘锡伟) wrote:<br>

><br>

> I want to discuss with everyone about the solution to change the login <br>

> password.<br>

><br>

>   In the WEB, When the user needs to change the login password, the <br>

> current solution is to directly enter the new password twice to change <br>

> successfully, but the old password is not verified. the advantage is <br>

> that we can use the new password through this solution if we forget <br>

> the old password. but for the security reasons, I think should <br>

> verifying the old password instead of directly entering the new <br>

> password before change login password.<br>

><br>

> if everyone have any ideas or experience, please share, thanks!<br>

><br>

Are you referring to the phosphor-webui design mentioned here?: <br>

<a href="https://github.com/ibm-openbmc/dev/issues/1048" rel="noreferrer" target="_blank">https://github.com/ibm-openbmc/dev/issues/1048</a><br>

<br>

OWASP has some recommendations:<br>

<a href="https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#require-re-authentication-for-sensitive-features" rel="noreferrer" target="_blank">https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#require-re-authentication-for-sensitive-features</a><br>

<a href="https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html#step-4-allow-user-to-change-password-in-the-existing-session" rel="noreferrer" target="_blank">https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html#step-4-allow-user-to-change-password-in-the-existing-session</a></blockquote><div> </div>Thanks, the password change was mentioned in step 4.<br>I think should add an input field to enter the old password and verify it when the form is submitted(phosphor-webui).<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">

<br>

- Joseph<br>

<br>

</blockquote></div></div>