When you click on the 'Generate new password' button, on Kentico's 'User' application's Password tab.
The password is sent out in clear text via email. We want users to change their password the first time they login. Is there any suggestions on how to achieve this?
We use Kentico 11's with ASPX template and I have access to the code and database. I've checked the documentation and there is no built in setting to do this.
Thanks
Another option would be setting some passwords for the users and then setup either password expiration or password policy - so the passwords will not meet one of these and they will be asked to change the password using the password reset.
Create their accounts and set their passwords to a very strong password.
Have the users click "forgot password". This will force the user to change their password, and they won't be able to log in until they go through that process.
Related
I have a unique requirement for a password reset.
We have users without email(or have invalid email), they just signup using a username.
So, to reset passwords, we want to have a separate UI application for support people that will allow resetting users' passwords without needing to send the password over email or can be sent to the common support email of the organization.
Is there a way we can use Graph API for this purpose? Custom policies need email to send passwords over(don't want the user's phone numbers at this moment).
Appreciate any leads in this matter.
Thanks.
Yes, you can.
But not ideal. The support person knows the password. And how does the user get informed of the password?
The correct way is to use a magic link that contains the username and when the user clicks on the link, they get the reset password flow. That way only the user knows the password.
I have a application registerd in Azure AD B2C, When new user logs in for the very first time he is redirected to the attached screen for updating the password. The issue here is that the user does not know what combination of password he needs to input untill and unless a specific combination works.
I need to customize this screen to display user friendly lable telling the user what combination of password he/she needs to enter on this screen.
enter image description here
With AAD B2C you can customize the user interface, which including the sign-up/sign-in, profile editing and password resetting experiences. This documentation outlines how to do the UX customization, test out the templates in the portal and has a few tutorials on setting it up.
Here are the specifics on password rule enforcement.
I have searched all over and can't find any answers on this. It's clear that for a password reset scenario, where the user has forgotten a password, the system in question should send a temporary token/link to the user's registered email that takes the user to a secure page that allows the user to select a new password.
What I'm asking about is the case where a user knows the current password, and wants to change it. I'm proposing either
1) the user could enter the old password and new password, and an email will be sent off asking to click a link to confirm the change (which also serves to notify that a change request has been made), or
2) the user could enter the current password and gets sent an email with a link that takes them to a new password selection screen.
Yet, I don't see this process being used anywhere. Is there a reason this approach doesn't buy you any more security, or is there a security flaw in this approach?
It seems to me that this would add an extra layer of security, as it's a type of two-factor authentication. Consider the case where the user's password has been compromised, but the password is different from the user's email password, and the attacker has no other method of accessing the user's email. The attacker would not be able to lock the owner out, since the attacker would not be able to click the confirm password change link. As an added benefit, this would serve as a notification to the account owner that someone was trying to take the account over.
Is this simply deemed not worth the extra hassle?
I can think of 2 reasons.
1) It will annoy the user. Every extra step tries the users patience.
2) It doesn't add security. If someone has the current password, they already have access to the account. If the attacker doesn't have access to the email account, they can't permanently lock the user out anyway.
What you should require email verification for, is changing the user's email address.
I am trying to sort out a peculiar behavior when creating new users as a site Admin on our Dnn installation.
I have gone into the Admin > Site Settings > User Account Settings > Profile Settings and changed a few of the fields to Required (FirstName, LastName, Title, Address etc) with Required and Visible checked and Default Visibility set to 'AllUsers'.
I have a requirement of 'None' for the 'User Registration' type, meaning the site Admin must create all new users. I also have a requirement that the password for new users be created randomly, instead of being assigned by the site Admin.
When the user is created in this manner, an email is sent with instructions to choose the 'Reset Password' option (if first time user). This built in Dnn function asks for the new user name (supplied in the email) and then sends another email with a reset password link with a token.
We are doing this to remove any password knowledge from the site Admin.
The problem is that when new users finally set their password and gain access to the system they are not being forced to fill in the required profile settings the first time (when they choose their password). They are required to fill them out when they log in the second time (without going through the reset password process).
We would really like them to be forced to complete the Profile Settings the first time regardless of whether they are setting their password via the password reset token link.
Does anyone know why this is happening? Is there a workaround?
Thanks for any information!
The answer to this question can be found here:
https://dnntracker.atlassian.net/browse/DNN-4213
I'm working on a new password reset workflow on a website, and i am wondering if there are any best practices on the topic of logging in after a password reset. Once the new password has been entered by the user, should they need to click login and enter their username and new password or be automatically logged in? Personally I prefer them to log in after resetting the password so that their browser has a chance to update its saved passwords. Automatic login just seems insecure to me. Are there any other thoughts on the subject?
Basically I'd recommend having one log-in entry point to your application. Although this additional log-in creates a burden on the user.
I'd say the benefits overcome this:
Easy to track log-in activities
If you want to apply some log-in rules like CAPTCHA, you will apply them in log-in page only.
Browsers password management can identify the password entered only in log-in.