I am using Forgerock OpenAM 13.0.0 as an identity provider.
I have tried email Id change and resetting the password through REST API. But when I tried to reset the password it is sending Email to the old email. I didn't see any reference to old email in openam or opendj, I wait for 24 hr still it is sending to the old email, it fixes only after restarting the openam server. any quick fix or alternative way to send to the correct email?
Related
I used gmail account to send email notification when my script fails. Since May 30, 2022, Gmail stops supporting access over Less secure app access
This setting is no longer available.
From Google support:
To help keep your account secure, from May 30, 2022, Google no longer supports the use of third-party apps or devices which ask you to sign in to your Google Account using only your username and password.
I am receiving python error even my user and password is OK (tested by logging to my account):
Authentication error. Wrong user or password.
smtplib.SMTPAuthenticationError: (535, b'5.7.8 Username and Password not accepted. Learn more at\n5.7.8 https://support.google.com/mail/?p=BadCredentials u2-20020a1709061da200b0072f42ca2934sm7507815ejh.148 - gsmtp')
What is the best way how to use google account for notification emails or is there better way or tool how to be notified?
When you want to send email over Gmail SMTP, google enable you to set up App password. You have to have set up 2-Step verification in your google account. Once 16 digit password are generated, you just replace password for login (username is your email address, that does not change).
Sources:
Google: Sign in with App Passwords
Stackoverflow: What's solution for sending emails from python while gmail " the less secure apps " is not enabled anymore
Hello I made a NodeJs backend and I implemented nodemailer. The only issue is I get the error with Invalid Login, because I don't have less secure apps turned on. I know, but I went to google and I clicked on the less secure app section and this is what I get
This setting is no longer available. Learn more
Does anyone solved the error different way and is able to send emails?
When you want to send email over Gmail SMTP, google enable you to set up App password. You have to have set up 2-Step verification in your google account. Once 16 digit password are generated, you just replace password for login (username is your email address, that does not change).
Sources:
Google: Sign in with App Passwords
For a specific user in Azure AD, say (xyz#mail.com), when I use a specific old password such as pass#321, it redirects me to the Update your password screen stating - "You need to update your password because this is the first time you are signing in, or because your password has expired."
While if I use the current correct password, it signs in successfully. Or if I use some other old password or some wrong password, it correctly shows the message "Your account or password is incorrect. If you don't remember your password, reset it now."
Is there a way to flush out old password history from Azure AD or to debug the old password properties?
I can't delete the user and create again as there is lot of dependency in my team on that user id(xyz#mail.com)
I have a node.js web application and I'd like its status page to have an indicator if the SMTP settings for the site are functioning. I could send an email and check if it goes across, but I'm wondering if I can do something like a ping for SMTP. Can I, without actually sending an email, check that I can connect to the SMTP server and verify the configured credentials?
I did a little experimenting with the smtp-protocol module (https://npmjs.org/package/smtp-protocol) but was not successful as I couldn't figure out how to use a username/password with the client.
Make verification method by sending email using that current credentials. if email can be sent then by that credentials then it is working fine otherwise it will be incorrect credentials. if it is correct credentials then use it for email sending process
What is the most secure way to handle forgotten passwords/password resets? Should I email the password to the user? If so do you then force them to reset it? Or do you let them reset it immediately (without sending an email) and require some other information to verify that it is them? Or is there a better method?
You can't email the password to the user, because you don't know it. You've "hashed" it by applying something like PBKDF2 or bcrypt to it for storage, right?
If you reset the password without confirming it with the owner of the account, an attacker can deny the owner access to his account, at least until he checks his email, by using the victim's email address to request a reset.
A method safe enough for many applications is to email a link to the account owner, containing a large, randomly generated number. This token should only be valid for a limited time. If the owner wishes to reset their password, they click the link and this authenticates them as the account owner. The account owner can then specify a new password.
You shouldn't send passwords via email. Here is a step by step process I've used:
Give users a reset password option.
This option saves a unique token for a user. The token eventually expires (hours, day or days).
A link is emailed to the user which includes the token.
User clicks on the emailed link.
If the token exists and isn't expired, the link loads a new password form. If not, don't load the new password form.
Once the user sets a new password, delete the token and send the user a confirmation email.
Until the new password is set, the old password should remain active. Don't forget to hash and salt the passwords!
I suppose you are going to do it programmatically? Or is it a question for Server Fault?
One of the ways is to send a link to the user's email account. He/she clicks on the link and is redirected to your secure web form where they reset the password.
Do NOT email the password to the user