Community
Participate
Working Groups
Using the "Reset Password" feature is now super easy for any experienced attacker to gain access to the Eclipse.org infrastructure. With a little bit of social engineering one just needs to find out the email address of a committer with shell access. The hacker then enters the email address and monitors/sniffs SMTP traffic to get the password. Done. A reset password procedure should involve at least a two-step process including a personal questions with answers that are known to the user. There is a good read here: http://www.fishnetsecurity.com/Resource_/PageResource/White_Papers/FishNetSecurity_SecureForgotPassword.pdf (3rd hit on Google for "forgot password best practices") Basic idea: 1. Get hard facts about the user (such as userid/email/birthday/city) 2. Ask personal security questions 3. Allow user to reset password 4. Display success message
+1 I wouldn't say "super easy" but the reset needs to be much more robust.
In the meanwhile, I've changed the process to send out a 64-byte token (instead of a new password). When the user confirms the token, they can change the password.
Denis, I think there is a flaw in the processes. One of my co-workes wanted to reset his password today but he couldn't. "You have already submitted a request. This request has been ignored. (8727s)" I think it should just generate a new token each time.
> I think it should just generate a new token each time. I want to avoid having someone script password resets for everyone. Having an IP-based restriction was all I could come up with within the time I had. It will expire :)
(In reply to comment #4) > I want to avoid having someone script password resets for everyone. Having an > IP-based restriction was all I could come up with within the time I had. It > will expire :) So that explains why mine was also blocked. :) I probably asked you that before but... What about http://www.google.com/recaptcha? As a positive side-effect it helps digitizing books. I think it's also a good thing to start asking for a captcha after the second failed password attempt.
Yep, recaptcha is next ... I am but one man :)
(In reply to comment #6) > Yep, recaptcha is next ... I am but one man :) I'm pushing you very hard on this one, ain't I? But you are doing great and I got the message. I'm happy to owe you a beer or two in March. :)
> I'm pushing you very hard on this one, ain't I? Yes, and I appreciate it. This service needs to be top-notch, and I need people like yourself watching over my shoulder and keeping me honest. I'm the one who owes you a beer. Thanks.
What is the status of this bug?
I'll close this as fixed since the original problem has been addressed. recaptcha would be nice, though.