[OPEN-ILS-DEV] ***SPAM*** Re: Self-serve password reset thoughts

Bill Erickson erickson at esilibrary.com
Mon Mar 29 15:44:24 EDT 2010 

On Mon, Mar 29, 2010 at 7:40 AM, Bill Ott <bott at grpl.org> wrote:

> On 3/29/10 12:35 AM, Dan Scott wrote:
>
>> On Sun, 2010-03-28 at 21:47 -0400, Bill Ott wrote:
>>
>>
>>> Ours is not quite as complex, but has been serving us well since we put
>>> it into production 18 months ago.
>>>
>>> We simply accept a barcode and email address.  If they match a given
>>> account, the password is reset to a random 5-digit integer, which is
>>> emailed to the address.  The email of course does not contain a barcode
>>> or username, nor a link or any indication of where the password is to be
>>> used, so the receiving party would need to already have that information
>>> for it to be of use.  Because the value does not meet our complexity
>>> requirements, it must then be reset by the user following the first
>>> login.
>>>
>>> The most common complaint comes from individuals that do not have a
>>> current email address in their account, and therefore cannot get the
>>> form to reset their password.
>>>
>>>
>>>
>> All bets are off when you're sending anything via email, I suppose.
>>
>> My concern about your approach is that attacks become pretty straight
>> forward: you just need to know a user's user name (or barcode) + email
>> address to reset their password to a 5-digit integer. In our context,
>> these two pieces of information would be pretty easy to come by
>> (consider two people that might have had a relationship go sour). Also,
>> given the institutional nature of our Evergreen install, our users' user
>> names tend to be their institutional email addresses, or the prefix part
>> of their email address, so this combination is often predictable.
>>
>>
>
> It is for this reason that we require the barcode proper, the username is
> not accepted.
>
> To a large extent, a compromised barcode is a pretty damning situation
> alone, as it's rather simple to replicate that barcode and use it at a
> self-check machine, walking away with potentially thousands of dollars worth
> of materials checked out to someone else.
>

As a brief aside, the trunk version of the Evergreen self-check UI has a
"password required" mode.

-b


-- 
Bill Erickson
| VP, Software Development & Integration
| Equinox Software, Inc. / Your Library's Guide to Open Source
| phone: 877-OPEN-ILS (673-6457)
| email: erickson at esilibrary.com
| web: http://esilibrary.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://libmail.georgialibraries.org/pipermail/open-ils-dev/attachments/20100329/6d4533a0/attachment.htm

More information about the Open-ils-dev mailing list