BMCWeb changes login password
Joseph Reynolds
jrey at linux.ibm.com
Thu Aug 29 05:48:11 AEST 2019
On 8/28/19 3:20 AM, George Liu (刘锡伟) wrote:
>
> I want to discuss with everyone about the solution to change the login
> password.
>
> In the WEB, When the user needs to change the login password, the
> current solution is to directly enter the new password twice to change
> successfully, but the old password is not verified. the advantage is
> that we can use the new password through this solution if we forget
> the old password. but for the security reasons, I think should
> verifying the old password instead of directly entering the new
> password before change login password.
>
> if everyone have any ideas or experience, please share, thanks!
>
Are you referring to the phosphor-webui design mentioned here?:
https://github.com/ibm-openbmc/dev/issues/1048
OWASP has some recommendations:
https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#require-re-authentication-for-sensitive-features
https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html#step-4-allow-user-to-change-password-in-the-existing-session
- Joseph
More information about the openbmc
mailing list