Jump to content

Improve Password Reset


evolvewh

Recommended Posts

Right now, if someone leaves the username field blank or enters an email address that does not exist, Blesta still says 'A confirmation email has been sent to the address on record.' when in fact, nothing is ever going to be sent to them. I'd like to request that Blesta validates what is entered and if it's blank, display a message saying 'Please enter a valid username' or if the email address does not exist in the system, say 'There is no match  in our system for the email address you entered' or something along these lines.

Link to comment
Share on other sites

20 minutes ago, evolvewh said:

Right now, if someone leaves the username field blank or enters an email address that does not exist, Blesta still says 'A confirmation email has been sent to the address on record.' when in fact, nothing is ever going to be sent to them. I'd like to request that Blesta validates what is entered and if it's blank, display a message saying 'Please enter a valid username' or if the email address does not exist in the system, say 'There is no match  in our system for the email address you entered' or something along these lines.

While Blesta need to up their improvements this is actually not one of them. The reason why this is the case is because it's to "spoil" exploiters from breaching clients' accounts. If they "think" that their entry "worked" then they will be less likely to keep on trying.  

It's kinda like cities having empty police cars, plain and simple but tends to work. :)

Link to comment
Share on other sites

15 minutes ago, MineHarvest66 said:

While Blesta need to up their improvements this is actually not one of them. The reason why this is the case is because it's to "spoil" exploiters from breaching clients' accounts. If they "think" that their entry "worked" then they will be less likely to keep on trying.  

It's kinda like cities having empty police cars, plain and simple but tends to work. :)

I can understand that which means they should implement an IP block. We get way too many support tickets about this and live chats with frustrated customers. There has to be somewhere to 'meet in the middle' and figure out a bettwork workable solution.

Link to comment
Share on other sites

3 minutes ago, evolvewh said:

I can understand that which means they should implement an IP block. We get way too many support tickets about this and live chats with frustrated customers. There has to be somewhere to 'meet in the middle' and figure out a bettwork workable solution.

Definitely I can understand there may be a better solution to this. However I am confused on how customers are unable to reset their passwords on a regular basis. Sure I can get that on occasions that one may forget but if they are "forgetting" their emails on a regular basis there may be deeper "problem". For example if they use a non primary email (which may indicate that they are "hiding" or going to commit "questionable activities". ). 

Link to comment
Share on other sites

You can disable it telling it's correct but it does that to stop brute forcing. eg: I hacked your email account, and I know you have an account so I keep trying everything until it goes to your email address.

Disable it: /config/blesta.php

find:

// Default password reset value. Set to true for improved security, false for more accurate error reporting
Configure::set('Blesta.default_password_reset_value', true);

change it to false.

Link to comment
Share on other sites

1 hour ago, BlestaStore said:

You can disable it telling it's correct but it does that to stop brute forcing. eg: I hacked your email account, and I know you have an account so I keep trying everything until it goes to your email address.

Disable it: /config/blesta.php

find:


// Default password reset value. Set to true for improved security, false for more accurate error reporting
Configure::set('Blesta.default_password_reset_value', true);

change it to false.

Thanks Michael. We may just edit the error message instead of compromising sercurity this way.

Link to comment
Share on other sites

Just to reiterate, the form returns a success message even if the username does not match a user account in order to hide information. Knowing what valid usernames exist can open up attack vectors. As @BlestaStore mentioned, you can update the Blesta.default_password_reset_value config value to false to instead show an error message if the username does not match an account.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...