I'm creating a forum, and currently trying to decide the most secure method for a user to change their EMail.
I figured it might be best to send a confirmation email to the old address, and once confirmed(after clicking the link in the EMail), their old EMail address will be replaced by their new address.
But I noticed some sites,
Requiring verification from the old email address is a definite boost to security, and should be required for critical sites like banking or high-profile social networking where a hijacked account can do serious damage, but it means users cannot change their email address if they lose access to their email account.
If you're creating a web-forum, then this probably isn't important enough to warrant an explicit release, and there are going to be many users that abandon a forum, let their email address expire, and then return. For this case I advocate simply sending a notification email to the old email address and including an "I didn't request this, please revert my email address immediately" link, that way in case of a hijacked account the original account-holder is still able to reclaim the account, while not inconveniencing those who genuinely no-longer have access to their old email accounts.
Related
I'm developing an web application using Django.
Currently I am working on sending "reset password link" thorough email (amazon simple email service - SES)
The mechanism I used, is the same with the answer of "simeonwillbanks" below link
Secure ways to reset password or to give old password
Give users a reset password option.
This option saves a unique token for a user. The token eventually expires (hours, day or days).
A link is emailed to the user which includes the token.
User clicks on the emailed link.
If the token exists and isn't expired, the link loads a new password form. If not, don't load the new password form.
Once the user sets a new password, delete the token and send the user a confirmation email.
What I worry about this, I am not sure this way is safe in terms of security. What if the email is captured by a hacker?
I tested on several major websites how they care this.
get an "reset password" email and copy the link.
give the link to other and see if he can change password on my account.
From this test, I figured out that somebody else also can change my password only with the link.
If I cannot do anything on the link, is there way to make email more secure?
like as the mechanism of ssl(https) on website?
Thanks!
It's somewhat secure, though is toast if the user's email was compromised.
I prefer using an HMAC in the URL, which avoids storing tokens in the DB.
If you include the user's IP address in the URL, and in the HMAC, you can be sure the reset link click came from the same computer (router actually) that requested the reset, and that it can't be shared.
Instead of the IP, you could set a device cookie with the username/email and an HMAC, and then check this when the reset link comes in from the email.
The system should ask the user the answer to a secret question after he clicks the link. Even better, send an SMS to his mobile with a short random code and ask for that. This is called https://en.wikipedia.org/wiki/Multi-factor_authentication
Then show the change password form (over HTTPS of course).
While we're here, you should display the same "success" message whether or not the user has an account, to avoid user enumeration attacks.
Also, use a localhost MTA relay or asynchronous email so that a hacker can't tell whether you sent an email (a slow response would indicate that a user exists).
Building an app for schools. Teachers will have classrooms assigned to them. Teachers login via email/password.
We also have district supervisors/administrators who need to easily distribute these classrooms to teachers. Currently I have a feature where they can assign a classroom to an email address, and when a user with that email signs up, it is automatically granted to them.
Is this safe? Or is it possible for two individuals to have the same email address?
Two email accounts cannot have the same email address, but whether multiple individuals are using the same address will depend on the policy of the owner of the domain, or it might be up to individual users for public systems such as Gmail or Hotmail if they want to share their address with others.
Is the app (or a particular deployment of it) restricted to only allow sign-ups from the domain of the school? (e.g. at Example College only alow emails that end in #example.edu?)
If so, you should check with the school as it is upto them how emails are distributed and used. If anyone can sign up you should be aware that people may share email addresses at certain institutions or that email addresses may be recycled for new teachers if no longer in use.
To make this approach more secure you should:
Verify the email address of each person that signs up. This can be a confirmation email containing a link with an ID generated by a cryptographically secure RNG. When the user clicks the link http://www.example.com/confirm.aspx?id=123456qwerty this will verify that they have access to the email address and grant them access to the classroom.
Expire the pre-granted rooms after a set number of days. This will reduce the chances of a classroom being granted to any recycled email address.
A couple things jump out to me.
1) You seem to be assigning resources to an account (an email address) before it has been created. How do you know that the person registering with that email address is the person that you expect?
2) You can only assume that an email address is unique if you control the domain of the email addresses and you enforce uniqueness. Otherwise it is possible that email addresses will be recycled over time (quite common with corporate email addresses like jsmith#company.com).
I'm working on a web-based application, and looking to integrate each user's e-mail (gmail, yahoo, etc.) into it. I'd like to do an automatic sync (side detail: selective to specific e-mail addresses) of inbox and sent messages, i.e. any messages sent through the application will appear in the user's e-mail, and vice versa; any messages received in the application will appear in the e-mail, and vice versa.
My question: I realize this will probably involve IMAP. Is there a way to go about this without storing the user's e-mail passwords? I'm open to any language, infrastructure, etc.
If there's really no way around storing the passwords, would MD5 be sufficient? Any other thoughts would be greatly appreciated.
you would need to find an OAuth-based API for accessing the email provider. this would allow the user to authenticate themself, provide you with an access token for later use.
I believe you can do this with Gmail, Yahoo (see links)
A situation where this might arise is a private messaging system on a forum. A user might want PMs forwarded to their main email so that they don't have to remember to check the inbox on your site as well as their main email. Then when users reply to those messages, you want the reply to go as a PM to another forum user.
Forwarding PMs as emails is trivial. In order to allow replies, you need to have the email server on your site parse out some information in the email that indicates which user it should be forwarded to as a PM.
If you really want to allow a user to access their entire GMail inbox from within the interface on your site, rather than just messages that went through your site anyway, then you are facing a much larger task.
I'm working on a simple web service that allows users to sign up for free and upload a small amount of data. I can easily establish a quota for each user, but malicious users could create fake accounts to upload as much data as they like in a denial-of-service attack.
Obviously, there's no perfect defense against this type of attack, but what can we do to mitigate this problem?
Tie it to a more-or-less unique identifier (phone number, bank account number, facebook/google/etc account) or to a finite resource (such as time, by using a captcha).
use a captcha on account creation to ensure that it's a
human and not an automated process.
require a valid email address and require that they click a link in their email to validate that that's their email address and continue the registration process. This cuts down on their ability to create many throwaway accounts because you can limit them to only having one account per email address and they have to then create a new email address for each account they want to create.
When the user signs up, the user supplies a valid email. Most accounts are not enabled until a response has been received, usually by clicking a link in the body of that email. When that click-through is received, you should be able to grab an IP address. That should help you curtail an abundance of casual DOS attacks.
Consider Phone Number Verification
Requiring phone number for account creation is the best approach I've come across; Creating a new email or cycling an IP address is pretty trivial, but genuine sms phone numbers cost money to activate & grant your service the ability to restrict access by country-code.
An important caveat: Virtual phone numbers (like google-voice), temporary-phone number services, & burner phones can make sms-verification ineffective at preventing duplicate user accounts. Depending on your use case, it might be worthwhile to use a service, like Vonage's Number Insight api, that lets you identify those types of numbers.
Authillo is a passwordless authentication provider that prevents duplicate/fake accounts by leveraging sms verification, liveness detection, & facial recognition. Depending on how critical it is that you prevent fake accounts on your service, their base plan might be what you're looking for.
Just log the IPs and assume the same user if the IP does not change within a time interval. This is bad, because it would prevent multiple users in the same house (same IP) but it is a good start.
I setup my website to require unique email addresses (no two users can have the same email address), but I realized that this could allow someone to check if a person is registered on my website by attempting to signup with that email. Granted that this person would have to know the email address they wanted to try, but it could be useful information for some people (e.g. competitors who wanted to see if their users are registered on my website).
Is there any real way to stop this, or does this just have to be accepted as a possibility?
Edit: just to be clear, this is about creating an account. Even you provide a generic "invalid login" for bad logins, how would you require a unique email address or username without disclosing which usernames or email addresses are valid?
Additional, much later edit: One thing that wasn't considered here was maintaining the requirement for unique email addresses when you let users change their email address after account creation. Here, the solution I accepted of sending a "forgot password" email doesn't work nearly as well. Instead, it seems that the only options are to use captchas or limitations on the number of times an email address can be changed in a certain period of time to limit automated attempts.
If someone tries to sign up with an existing account — send a "Change your password" email instead of a "New account" email (and explain why).
Leave the HTTP response as a simple "A confirmation email has been sent to the address you specified. Follow the instructions in it to continue".
I suppose the issue is if someone forgets their password, you would ask them to enter their email address and you would send the password there if a match was found?
For that you can have users supply a question/answer challenge when they register their email address. Its a bigger pain for your users but if security is a concern then they may go for it.
Another possibility is your registration form. In this case users can enter an email address to see if its already "taken".
To address your concern you should just happily accept all registrations and send a confirmation email, even if they are already registered. That way the user doesn't know if they just registered the email address for the first time or not.
Finally, if an incorrect username/password is given, don't tell the user which is bad.
I don't think it's a terrible security risk unless membership to the site is sensitive, in which case you can use some of the patterns described.
Yes, that can happen and you cannot really do anything about it except limiting the number of checks/registration attempts in time. That will at least prevent automated checks by your competitor. Of course, if some guy decides to check if his girlfriend is registered there, then he will have that possibility.
Just a thought, not sure if it would work, but why not do something like the login page, where instead of saying "your password is wrong" it says "your username or password was wrong". Maybe just state "your email address is invalid". It's probably a bit of usability error, but if you are concerned about people doing as you say, then you might have to live with it.