BMCWeb changes login password
Wang, Kuiying
kuiying.wang at intel.com
Fri Aug 30 17:18:28 AEST 2019
Currently only administrator is allowed to add user/modify user/change password.
Administrator has the permission to change other users password or delete it directly.
Administrator no need to know the old password of other users.
For administrator to change itself password thing, still no need the old password, because administrator is already login a session.
So we don’t need to add “input field to enter the old password”.
But there is an open for multiple administrator user supporting, currently administrator user could add more administrator level users.
And anyone of the administrators login, he could modify other administrator users like change password or delete it directly.
I think it is a bit security issue. Have to restrict multiple administrator user or do not allow administrator to modify other administrator users.
Thanks,
Kwin.
>
> On 8/28/19 3:20 AM, George Liu (刘锡伟) wrote:
> >
> > I want to discuss with everyone about the solution to change the login
> > password.
> >
> > In the WEB, When the user needs to change the login password, the
> > current solution is to directly enter the new password twice to change
> > successfully, but the old password is not verified. the advantage is
> > that we can use the new password through this solution if we forget
> > the old password. but for the security reasons, I think should
> > verifying the old password instead of directly entering the new
> > password before change login password.
> >
> > if everyone have any ideas or experience, please share, thanks!
> >
> Are you referring to the phosphor-webui design mentioned here?:
> https://github.com/ibm-openbmc/dev/issues/1048
>
> OWASP has some recommendations:
>
> https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#require-re-authentication-for-sensitive-features
>
> https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html#step-4-allow-user-to-change-password-in-the-existing-session
Thanks, the password change was mentioned in step 4.
I think should add an input field to enter the old password and verify it
when the form is submitted(phosphor-webui).
>
>
> - Joseph
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20190830/6914b820/attachment.htm>
More information about the openbmc
mailing list