search

GetLuna / Luna

Luna is an easy and beautiful solution to build your own board.
http://getluna.org
GNU General Public License v2.0
81 stars 25 forks source link

random_pass() might generate URL-unfriendly passwords #224

Closed Studio384 closed 11 years ago

Studio384 commented 11 years ago

We got reports about non-working password reset links users got via mails. These had characters like + in them which have a special meaning in URLs (they are translated to spaces unless urlencoded).

The problem seems to be in random_pass which calls random_key that base64_encodes a random byte series. base64 also includes + and /.

I suggest to not use base64 and only allow a-z0-9 charactes here or use urlencode on the key.

The same might apply to registration and other mails; I did not check that.

http://fluxbb.org/development/core/tickets/895/

Kelimion commented 11 years ago

Another idea when resetting passwords is not to send a randomly generated password (over an insecure channel) and hope that people change it (as opposed to saving it in the browser), but instead to send out a randomly generated reset link with a secure nonce and an expiration date in the near future.

Upon opening that link the user gets to supply their preferred new password, optionally with a handy password strength widget telling them if it's a reasonable choice or not. Additionally a forum administrator might use this password reset screen to inform about the benefits of a password vault such as KeePass.

The upshot is that the user gets to choose their password with no chance of them continuing to use your randomly supplied one. If you're running your forum over https, this means the password won't travel over an insecure channel (inasfar as https can be considered secure these days).

More importantly it neatly encourages the user to think about their password instead of using a randomly supplied value that might end up getting fished from their email account at a later date.

Certainly a compromised email account might also lead someone to ask for a reset link and supply their own password, but in that case the original user will be locked out and know the account's been compromised, as opposed to someone else being able to log in using the same password.

Granted, perhaps a bit overkill and certainly more involved (code wise) than just changing random_pass, but possibly worth it.

Studio384 commented 11 years ago

Mmm, you might have a point there, however, that's more something to work on for a point release, rather than a patch release. I'm planning to revamp the profiles in a future update, this might be part of it. :)