<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Joseph Reynolds <<a href="mailto:jrey@linux.ibm.com">jrey@linux.ibm.com</a>> 于2019年8月29日周四 上午3:48写道:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br>
On 8/28/19 3:20 AM, George Liu (刘锡伟) wrote:<br>
><br>
> I want to discuss with everyone about the solution to change the login <br>
> password.<br>
><br>
>   In the WEB, When the user needs to change the login password, the <br>
> current solution is to directly enter the new password twice to change <br>
> successfully, but the old password is not verified. the advantage is <br>
> that we can use the new password through this solution if we forget <br>
> the old password. but for the security reasons, I think should <br>
> verifying the old password instead of directly entering the new <br>
> password before change login password.<br>
><br>
> if everyone have any ideas or experience, please share, thanks!<br>
><br>
Are you referring to the phosphor-webui design mentioned here?: <br>
<a href="https://github.com/ibm-openbmc/dev/issues/1048" rel="noreferrer" target="_blank">https://github.com/ibm-openbmc/dev/issues/1048</a><br>
<br>
OWASP has some recommendations:<br>
<a href="https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#require-re-authentication-for-sensitive-features" rel="noreferrer" target="_blank">https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#require-re-authentication-for-sensitive-features</a><br>
<a href="https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html#step-4-allow-user-to-change-password-in-the-existing-session" rel="noreferrer" target="_blank">https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html#step-4-allow-user-to-change-password-in-the-existing-session</a></blockquote><div> </div>Thanks, the password change was mentioned in step 4.<br>I think should add an input field to enter the old password and verify it when the form is submitted(phosphor-webui).<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
- Joseph<br>
<br>
</blockquote></div></div>