BMCWeb changes login password

George Liu liuxiwei1013 at gmail.com
Thu Aug 29 17:52:26 AEST 2019


Joseph Reynolds <jrey at linux.ibm.com> 于2019年8月29日周四 上午3:48写道:

>
> On 8/28/19 3:20 AM, George Liu (刘锡伟) wrote:
> >
> > I want to discuss with everyone about the solution to change the login
> > password.
> >
> >   In the WEB, When the user needs to change the login password, the
> > current solution is to directly enter the new password twice to change
> > successfully, but the old password is not verified. the advantage is
> > that we can use the new password through this solution if we forget
> > the old password. but for the security reasons, I think should
> > verifying the old password instead of directly entering the new
> > password before change login password.
> >
> > if everyone have any ideas or experience, please share, thanks!
> >
> Are you referring to the phosphor-webui design mentioned here?:
> https://github.com/ibm-openbmc/dev/issues/1048
>
> OWASP has some recommendations:
>
> https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#require-re-authentication-for-sensitive-features
>
> https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html#step-4-allow-user-to-change-password-in-the-existing-session


Thanks, the password change was mentioned in step 4.
I think should add an input field to enter the old password and verify it
when the form is submitted(phosphor-webui).
>
>
> - Joseph
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20190829/cc58cc10/attachment-0001.htm>


More information about the openbmc mailing list