View Issue Details

IDProjectCategoryView StatusLast Update
0000189Main CAcert Websiteaccount administrationpublic2013-01-14 03:04
Reporterplaisthos Assigned To 
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Fixed in Version2006 
Summary0000189: Can login with Certificate but can't change Password
DescriptionIf you login in via Certificate (I have mine on an eToken) you can do everything but change your normal password if you have forgotten your old password. (I did :().

For security reason this makes no sense since I can lookup the 5 questions and my date of birth and change the password via "Forgot your password".
TagsNo tags attached.
Reviewed by
Test Instructions

Relationships

related to 0000171 closed missing email notification 

Activities

bluec

2006-04-24 21:28

manager   ~0000200

So what would be a solution for that?

a) Allow password changes for cert-logins without asking for the old password?

b) Ask for password before allowing to read or change the lost password questions?

c) don't print the answers to the lost password questions in the user menu at all?

I got your point but don't think that the current situation needs to be changed.

homer

2006-04-25 04:38

reporter   ~0000203

Last edited: 2006-04-25 04:39

Me too, I got your point but don't think that the current situation needs to be changed.
 
The user will need to change his password one way or another !

Question : is there any warning sent to the user when changing the password ?
BUT the hacker could change all the email address so the real user could not be warned on the password change.

duane

2006-08-14 14:42

developer   ~0000450

Well we could notify the user if the default email is changed, and then notify on password changes...

duane

2006-08-14 16:01

developer   ~0000452

You can now change the password without the old password if you login with a certificate.

Issue History

Date Modified Username Field Change
2006-04-02 00:07 plaisthos New Issue
2006-04-24 21:28 bluec Note Added: 0000200
2006-04-24 23:30 bluec Relationship added related to 0000171
2006-04-25 04:38 homer Note Added: 0000203
2006-04-25 04:39 homer Note Edited: 0000203
2006-08-14 14:42 duane Note Added: 0000450
2006-08-14 16:00 duane Status new => needs work
2006-08-14 16:00 duane Assigned To => bluec
2006-08-14 16:01 duane Status needs work => solved?
2006-08-14 16:01 duane Fixed in Version => production
2006-08-14 16:01 duane Resolution open => fixed
2006-08-14 16:01 duane Note Added: 0000452
2007-10-24 06:18 evaldo Assigned To bluec =>
2007-10-24 06:18 evaldo Status solved? => closed
2013-01-14 03:04 Werner Dworak Fixed in Version => 2006