Enhanced Login functionality. Product feature request.

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

Enhanced Login functionality. Product feature request.

jaspervanams
Hi all,

I'm trying to gather thumbs up for two product feature requests that everyone might find useful and subsequently doesn't require having to run around with a patched cms. So if you like the idea, please respond with a thumbs up! Oh, and if you have any additional ideas/comments, of course let them be known as well.

First of, an extended failed login message with configurable strings on whom to contact with telephone/email/whatever as extra info.
Together with a configurable X failed logins functionality that would change the 'active' status of the account to 'inactive' forcing the user to contact the sys admin to be activated again. Sys admin restores active status and resets password.

So in user story:
- User tries to login
- On X try user gets the additional message that his account has been deactivated and should contact a console/cms configured contact.
- Sys admin restores the active status of user and resets password to default password.
- User logs in. (See Next Prod feature request for added usefulness)


Second Prod feature: a 'mandatory change your password on first login' feature.

User story:
- Sys admin receives a create new user request with all appropiate data.
- Sys admin creates new users in cms, and gives them a default password.
- Sys admin informs the user of their account by regular email. (would also be nice if Hippo could be configured to forward to an email server, or otherwise incorporate a mailto: in the user creation dialog. But that is out of scope for this request).
- User logs into the cms and is presented with the 'change password' dialog immediatly.
- If user cancels the dialog or session goes kaput or something, the default password would have to be valid for a configurable X days. With 0 being just that session.


That's it.
Kind regards, Jasper.
Reply | Threaded
Open this post in threaded view
|

Re: Enhanced Login functionality. Product feature request.

Wouter Danes-2
+1 from me, should make life a bit easier for some devops. :)

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of jaspervanams
Sent: donderdag 17 januari 2013 15:10
To: [hidden email]
Subject: [Hippo-cms7-user] Enhanced Login functionality. Product feature request.

Hi all,

I'm trying to gather thumbs up for two product feature requests that everyone might find useful and subsequently doesn't require having to run around with a patched cms. So if you like the idea, please respond with a thumbs up! Oh, and if you have any additional ideas/comments, of course let them be known as well.

First of, an extended failed login message with configurable strings on whom to contact with telephone/email/whatever as extra info.
Together with a configurable X failed logins functionality that would change the 'active' status of the account to 'inactive' forcing the user to contact the sys admin to be activated again. Sys admin restores active status and resets password.

So in user story:
- User tries to login
- On X try user gets the additional message that his account has been deactivated and should contact a console/cms configured contact.
- Sys admin restores the active status of user and resets password to default password.
- User logs in. (See Next Prod feature request for added usefulness)


Second Prod feature: a 'mandatory change your password on first login'
feature.

User story:
- Sys admin receives a create new user request with all appropiate data.
- Sys admin creates new users in cms, and gives them a default password.
- Sys admin informs the user of their account by regular email. (would also
be nice if Hippo could be configured to forward to an email server, or
otherwise incorporate a mailto: in the user creation dialog. But that is out
of scope for this request).
- User logs into the cms and is presented with the 'change password' dialog
immediatly.
- If user cancels the dialog or session goes kaput or something, the default
password would have to be valid for a configurable X days. With 0 being just
that session.


That's it.
Kind regards, Jasper.



--
View this message in context: http://hippo.2275632.n2.nabble.com/Enhanced-Login-functionality-Product-feature-request-tp7580202.html
Sent from the Hippo CMS 7 mailing list archive at Nabble.com.
_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html
_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html
Reply | Threaded
Open this post in threaded view
|

Re: Enhanced Login functionality. Product feature request.

Jeroen Reijn
Administrator
In reply to this post by jaspervanams
On Thu, Jan 17, 2013 at 3:09 PM, jaspervanams
<[hidden email]> wrote:

> Hi all,
>
> I'm trying to gather thumbs up for two product feature requests that
> everyone might find useful and subsequently doesn't require having to run
> around with a patched cms. So if you like the idea, please respond with a
> thumbs up! Oh, and if you have any additional ideas/comments, of course let
> them be known as well.
>
> First of, an extended failed login message with configurable strings on whom
> to contact with telephone/email/whatever as extra info.
> Together with a configurable X failed logins functionality that would change
> the 'active' status of the account to 'inactive' forcing the user to contact
> the sys admin to be activated again. Sys admin restores active status and
> resets password.
>
> So in user story:
> - User tries to login
> - On X try user gets the additional message that his account has been
> deactivated and should contact a console/cms configured contact.
> - Sys admin restores the active status of user and resets password to
> default password.
> - User logs in. (See Next Prod feature request for added usefulness)
>

The above sounds really great and I do like the idea, but there is
more to this feature then just making a user inactive.
What if somebody get the list of admin user accounts? and tries then
all X times.. then nobody can go in and unlock them :-)

You also might be interested to know that in 7.8 you can enable a
captcha to show up after X attempts.

>
> Second Prod feature: a 'mandatory change your password on first login'
> feature.
>
> User story:
> - Sys admin receives a create new user request with all appropiate data.
> - Sys admin creates new users in cms, and gives them a default password.
> - Sys admin informs the user of their account by regular email. (would also
> be nice if Hippo could be configured to forward to an email server, or
> otherwise incorporate a mailto: in the user creation dialog. But that is out
> of scope for this request).
> - User logs into the cms and is presented with the 'change password' dialog
> immediatly.
> - If user cancels the dialog or session goes kaput or something, the default
> password would have to be valid for a configurable X days. With 0 being just
> that session.
>

Yes I really like this one.

+1 from me.

>
> That's it.
> Kind regards, Jasper.
>
>
>
> --
> View this message in context: http://hippo.2275632.n2.nabble.com/Enhanced-Login-functionality-Product-feature-request-tp7580202.html
> Sent from the Hippo CMS 7 mailing list archive at Nabble.com.
> _______________________________________________
> Hippo-cms7-user mailing list and forums
> http://www.onehippo.org/cms7/support/forums.html



--
Jeroen Reijn
Solution Architect
Hippo

Amsterdam - Oosteinde 11, 1017 WT Amsterdam
Boston - 1 Broadway, Cambridge, MA 02142

US +1 877 414 4776 (toll free)
Europe +31(0)20 522 4466
www.onehippo.com

http://about.me/jeroenreijn
_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html
Reply | Threaded
Open this post in threaded view
|

Re: Enhanced Login functionality. Product feature request.

b.vanderschans@onehippo.com
Hi Jasper,

I like both ideas!

I just wouldn't consider the mail functionality out of scope. It will
make the user (admin) experience in both cases a lot smoother.
Basically on account creation and password resetting you want that an
email is sent to the user with a random generated password which has
to be changed by the user on first login. This will reduce the admin
effort to just a single click.

As an extra option you might want to make this generated password only
valid for a certain time (a day or a few days) for security reasons.

Regards,
Bart

On Thu, Jan 17, 2013 at 3:42 PM, Jeroen Reijn <[hidden email]> wrote:

> On Thu, Jan 17, 2013 at 3:09 PM, jaspervanams
> <[hidden email]> wrote:
>> Hi all,
>>
>> I'm trying to gather thumbs up for two product feature requests that
>> everyone might find useful and subsequently doesn't require having to run
>> around with a patched cms. So if you like the idea, please respond with a
>> thumbs up! Oh, and if you have any additional ideas/comments, of course let
>> them be known as well.
>>
>> First of, an extended failed login message with configurable strings on whom
>> to contact with telephone/email/whatever as extra info.
>> Together with a configurable X failed logins functionality that would change
>> the 'active' status of the account to 'inactive' forcing the user to contact
>> the sys admin to be activated again. Sys admin restores active status and
>> resets password.
>>
>> So in user story:
>> - User tries to login
>> - On X try user gets the additional message that his account has been
>> deactivated and should contact a console/cms configured contact.
>> - Sys admin restores the active status of user and resets password to
>> default password.
>> - User logs in. (See Next Prod feature request for added usefulness)
>>
>
> The above sounds really great and I do like the idea, but there is
> more to this feature then just making a user inactive.
> What if somebody get the list of admin user accounts? and tries then
> all X times.. then nobody can go in and unlock them :-)
>
> You also might be interested to know that in 7.8 you can enable a
> captcha to show up after X attempts.
>
>>
>> Second Prod feature: a 'mandatory change your password on first login'
>> feature.
>>
>> User story:
>> - Sys admin receives a create new user request with all appropiate data.
>> - Sys admin creates new users in cms, and gives them a default password.
>> - Sys admin informs the user of their account by regular email. (would also
>> be nice if Hippo could be configured to forward to an email server, or
>> otherwise incorporate a mailto: in the user creation dialog. But that is out
>> of scope for this request).
>> - User logs into the cms and is presented with the 'change password' dialog
>> immediatly.
>> - If user cancels the dialog or session goes kaput or something, the default
>> password would have to be valid for a configurable X days. With 0 being just
>> that session.
>>
>
> Yes I really like this one.
>
> +1 from me.
>
>>
>> That's it.
>> Kind regards, Jasper.
>>
>>
>>
>> --
>> View this message in context: http://hippo.2275632.n2.nabble.com/Enhanced-Login-functionality-Product-feature-request-tp7580202.html
>> Sent from the Hippo CMS 7 mailing list archive at Nabble.com.
>> _______________________________________________
>> Hippo-cms7-user mailing list and forums
>> http://www.onehippo.org/cms7/support/forums.html
>
>
>
> --
> Jeroen Reijn
> Solution Architect
> Hippo
>
> Amsterdam - Oosteinde 11, 1017 WT Amsterdam
> Boston - 1 Broadway, Cambridge, MA 02142
>
> US +1 877 414 4776 (toll free)
> Europe +31(0)20 522 4466
> www.onehippo.com
>
> http://about.me/jeroenreijn
> _______________________________________________
> Hippo-cms7-user mailing list and forums
> http://www.onehippo.org/cms7/support/forums.html



--
Amsterdam - Oosteinde 11, 1017 WT Amsterdam
Boston - 1 Broadway, Cambridge, MA 02142

US +1 877 414 4776 (toll free)
Europe +31(0)20 522 4466
www.onehippo.com
_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html
Reply | Threaded
Open this post in threaded view
|

Re: Enhanced Login functionality. Product feature request.

Bartosz Oudekerk
Administrator
On 17/01/13 16:37, Bart van der Schans wrote:

> Hi Jasper,
>
> I like both ideas!
>
> I just wouldn't consider the mail functionality out of scope. It will
> make the user (admin) experience in both cases a lot smoother.
> Basically on account creation and password resetting you want that an
> email is sent to the user with a random generated password which has
> to be changed by the user on first login. This will reduce the admin
> effort to just a single click.
>
> As an extra option you might want to make this generated password only
> valid for a certain time (a day or a few days) for security reasons.

+1

Kind regards,
Bartosz
--
Amsterdam - Oosteinde 11, 1017 WT Amsterdam
Boston - 1 Broadway, Cambridge, MA 02142

US +1 877 414 4776 (toll free)
Europe +31(0)20 522 4466
http://www.onehippo.com/
_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html
Reply | Threaded
Open this post in threaded view
|

Re: Enhanced Login functionality. Product feature request.

Joris Meijer
+1

_______________________________________________________________________
Joris Meijer
Consultant Online Technology | Capgemini Online

Capgemini "Netherlands" | Utrecht
Tel.: +31 30 68 93076 - Mob.: +31 6 5158 6350
www.capgemini.com

People matter, results count.
_______________________________________________________________________
Connect with Capgemini:
          


-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Bartosz Oudekerk
Sent: donderdag 17 januari 2013 17:03
To: Hippo CMS 7 implementation list
Cc: [hidden email]
Subject: Re: [Hippo-cms7-user] Enhanced Login functionality. Product feature request.

On 17/01/13 16:37, Bart van der Schans wrote:

> Hi Jasper,
>
> I like both ideas!
>
> I just wouldn't consider the mail functionality out of scope. It will
> make the user (admin) experience in both cases a lot smoother.
> Basically on account creation and password resetting you want that an
> email is sent to the user with a random generated password which has
> to be changed by the user on first login. This will reduce the admin
> effort to just a single click.
>
> As an extra option you might want to make this generated password only
> valid for a certain time (a day or a few days) for security reasons.

+1

Kind regards,
Bartosz
--
Amsterdam - Oosteinde 11, 1017 WT Amsterdam
Boston - 1 Broadway, Cambridge, MA 02142

US +1 877 414 4776 (toll free)
Europe +31(0)20 522 4466
http://www.onehippo.com/
_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html
This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.

_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html
Reply | Threaded
Open this post in threaded view
|

Re: Enhanced Login functionality. Product feature request.

Oscar Scholten
Hi,

I agree with Jeroen Reijn and Bart that:

1) It may be better to display a capcha after a number of unsuccessful logins, rather than disabling the user's account. This also protects against brute-force attacks.

2) For users and sysadmins it is less manual work if the user can reset his password himself and have an activation link emailed to him.

Cheers, Oscar


On Thu, Jan 17, 2013 at 5:05 PM, Meijer, Joris <[hidden email]> wrote:
+1

_______________________________________________________________________
Joris Meijer
Consultant Online Technology | Capgemini Online

Capgemini "Netherlands" | Utrecht
Tel.: <a href="tel:%2B31%2030%2068%2093076" value="+31306893076">+31 30 68 93076 - Mob.: <a href="tel:%2B31%206%205158%206350" value="+31651586350">+31 6 5158 6350
www.capgemini.com

People matter, results count.
_______________________________________________________________________
Connect with Capgemini:
          


-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Bartosz Oudekerk
Sent: donderdag 17 januari 2013 17:03
To: Hippo CMS 7 implementation list
Cc: [hidden email]
Subject: Re: [Hippo-cms7-user] Enhanced Login functionality. Product feature request.

On 17/01/13 16:37, Bart van der Schans wrote:
> Hi Jasper,
>
> I like both ideas!
>
> I just wouldn't consider the mail functionality out of scope. It will
> make the user (admin) experience in both cases a lot smoother.
> Basically on account creation and password resetting you want that an
> email is sent to the user with a random generated password which has
> to be changed by the user on first login. This will reduce the admin
> effort to just a single click.
>
> As an extra option you might want to make this generated password only
> valid for a certain time (a day or a few days) for security reasons.

+1

Kind regards,
Bartosz
--
Amsterdam - Oosteinde 11, 1017 WT Amsterdam
Boston - 1 Broadway, Cambridge, MA 02142

US <a href="tel:%2B1%20877%20414%204776" value="+18774144776">+1 877 414 4776 (toll free)
Europe <a href="tel:%2B31%280%2920%20522%204466" value="+31205224466">+31(0)20 522 4466
http://www.onehippo.com/
_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html
This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.

_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html



--
Amsterdam - Oosteinde 11, 1017 WT Amsterdam
Boston - 1 Broadway, Cambridge, MA 02142

US +1 877 414 4776 (toll free)
Europe +31(0)20 522 4466
www.onehippo.com

_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html
Reply | Threaded
Open this post in threaded view
|

Re: Enhanced Login functionality. Product feature request.

Jasper Floor
Yes on  number 2 (force password change) no on number 1.

I think its been mentioned, but if you invalidate a login just because someone tries it with incorrect credentials your have created a security leak as well an attack vector. Someone can lock out all your users if they know who they are. The leak is becuase you are revealing that a certain user exists by disabling his account. I do not think you should ever reveal details about your system when incorrect credentials are used. The only proper response is login failed. Of course, you can disable an account without saying so, then you have avoided the leak but left the attack vector.  

mvg,
Jasper

On Thu, Jan 17, 2013 at 5:15 PM, Oscar Scholten <[hidden email]> wrote:
Hi,

I agree with Jeroen Reijn and Bart that:

1) It may be better to display a capcha after a number of unsuccessful logins, rather than disabling the user's account. This also protects against brute-force attacks.

2) For users and sysadmins it is less manual work if the user can reset his password himself and have an activation link emailed to him.

Cheers, Oscar


On Thu, Jan 17, 2013 at 5:05 PM, Meijer, Joris <[hidden email]> wrote:
+1

_______________________________________________________________________
Joris Meijer
Consultant Online Technology | Capgemini Online

Capgemini "Netherlands" | Utrecht
Tel.: <a href="tel:%2B31%2030%2068%2093076" value="+31306893076" target="_blank">+31 30 68 93076 - Mob.: <a href="tel:%2B31%206%205158%206350" value="+31651586350" target="_blank">+31 6 5158 6350
www.capgemini.com

People matter, results count.
_______________________________________________________________________
Connect with Capgemini:
          


-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Bartosz Oudekerk
Sent: donderdag 17 januari 2013 17:03
To: Hippo CMS 7 implementation list
Cc: [hidden email]
Subject: Re: [Hippo-cms7-user] Enhanced Login functionality. Product feature request.

On 17/01/13 16:37, Bart van der Schans wrote:
> Hi Jasper,
>
> I like both ideas!
>
> I just wouldn't consider the mail functionality out of scope. It will
> make the user (admin) experience in both cases a lot smoother.
> Basically on account creation and password resetting you want that an
> email is sent to the user with a random generated password which has
> to be changed by the user on first login. This will reduce the admin
> effort to just a single click.
>
> As an extra option you might want to make this generated password only
> valid for a certain time (a day or a few days) for security reasons.

+1

Kind regards,
Bartosz
--
Amsterdam - Oosteinde 11, 1017 WT Amsterdam
Boston - 1 Broadway, Cambridge, MA 02142

US <a href="tel:%2B1%20877%20414%204776" value="+18774144776" target="_blank">+1 877 414 4776 (toll free)
Europe <a href="tel:%2B31%280%2920%20522%204466" value="+31205224466" target="_blank">+31(0)20 522 4466
http://www.onehippo.com/
_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html
This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.

_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html



--
Amsterdam - Oosteinde 11, 1017 WT Amsterdam
Boston - 1 Broadway, Cambridge, MA 02142

US +1 877 414 4776 (toll free)
Europe +31(0)20 522 4466
www.onehippo.com

_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html


_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html
Reply | Threaded
Open this post in threaded view
|

Re: Enhanced Login functionality. Product feature request.

Frank van Lankvelt
On Tue, Jan 22, 2013 at 5:20 PM, Jasper Floor <[hidden email]> wrote:

> Yes on  number 2 (force password change) no on number 1.
>
> I think its been mentioned, but if you invalidate a login just because
> someone tries it with incorrect credentials your have created a security
> leak as well an attack vector. Someone can lock out all your users if they
> know who they are. The leak is becuase you are revealing that a certain user
> exists by disabling his account. I do not think you should ever reveal
> details about your system when incorrect credentials are used. The only
> proper response is login failed. Of course, you can disable an account
> without saying so, then you have avoided the leak but left the attack
> vector.
>
Note that the captcha is already implemented.
The captcha that's shown is just additional verification, no account
is disabled.

AFAIK, it is shown after a fixed number of unsuccessful attempts.
Whether they are for existing accounts or not does not matter.  So no
additional information is made available.  The attacker already knew
that she failed to login N times.

cheers, Frank

> mvg,
> Jasper
>
> On Thu, Jan 17, 2013 at 5:15 PM, Oscar Scholten <[hidden email]>
> wrote:
>>
>> Hi,
>>
>> I agree with Jeroen Reijn and Bart that:
>>
>> 1) It may be better to display a capcha after a number of unsuccessful
>> logins, rather than disabling the user's account. This also protects against
>> brute-force attacks.
>>
>> 2) For users and sysadmins it is less manual work if the user can reset
>> his password himself and have an activation link emailed to him.
>>
>> Cheers, Oscar
>>
>>
>> On Thu, Jan 17, 2013 at 5:05 PM, Meijer, Joris
>> <[hidden email]> wrote:
>>>
>>> +1
>>>
>>> _______________________________________________________________________
>>> Joris Meijer
>>> Consultant Online Technology | Capgemini Online
>>>
>>> Capgemini "Netherlands" | Utrecht
>>> Tel.: +31 30 68 93076 - Mob.: +31 6 5158 6350
>>> www.capgemini.com
>>>
>>> People matter, results count.
>>> _______________________________________________________________________
>>> Connect with Capgemini:
>>>
>>>
>>>
>>> -----Original Message-----
>>> From: [hidden email]
>>> [mailto:[hidden email]] On Behalf Of Bartosz
>>> Oudekerk
>>> Sent: donderdag 17 januari 2013 17:03
>>> To: Hippo CMS 7 implementation list
>>> Cc: [hidden email]
>>> Subject: Re: [Hippo-cms7-user] Enhanced Login functionality. Product
>>> feature request.
>>>
>>> On 17/01/13 16:37, Bart van der Schans wrote:
>>> > Hi Jasper,
>>> >
>>> > I like both ideas!
>>> >
>>> > I just wouldn't consider the mail functionality out of scope. It will
>>> > make the user (admin) experience in both cases a lot smoother.
>>> > Basically on account creation and password resetting you want that an
>>> > email is sent to the user with a random generated password which has
>>> > to be changed by the user on first login. This will reduce the admin
>>> > effort to just a single click.
>>> >
>>> > As an extra option you might want to make this generated password only
>>> > valid for a certain time (a day or a few days) for security reasons.
>>>
>>> +1
>>>
>>> Kind regards,
>>> Bartosz
>>> --
>>> Amsterdam - Oosteinde 11, 1017 WT Amsterdam
>>> Boston - 1 Broadway, Cambridge, MA 02142
>>>
>>> US +1 877 414 4776 (toll free)
>>> Europe +31(0)20 522 4466
>>> http://www.onehippo.com/
>>> _______________________________________________
>>> Hippo-cms7-user mailing list and forums
>>> http://www.onehippo.org/cms7/support/forums.html
>>> This message contains information that may be privileged or confidential
>>> and is the property of the Capgemini Group. It is intended only for the
>>> person to whom it is addressed. If you are not the intended recipient, you
>>> are not authorized to read, print, retain, copy, disseminate, distribute, or
>>> use this message or any part thereof. If you receive this message in error,
>>> please notify the sender immediately and delete all copies of this message.
>>>
>>> _______________________________________________
>>> Hippo-cms7-user mailing list and forums
>>> http://www.onehippo.org/cms7/support/forums.html
>>
>>
>>
>>
>> --
>> Amsterdam - Oosteinde 11, 1017 WT Amsterdam
>> Boston - 1 Broadway, Cambridge, MA 02142
>>
>> US +1 877 414 4776 (toll free)
>> Europe +31(0)20 522 4466
>> www.onehippo.com
>>
>> _______________________________________________
>> Hippo-cms7-user mailing list and forums
>> http://www.onehippo.org/cms7/support/forums.html
>
>
>
> _______________________________________________
> Hippo-cms7-user mailing list and forums
> http://www.onehippo.org/cms7/support/forums.html



--
Amsterdam - Oosteinde 11, 1017 WT Amsterdam
Boston - 1 Broadway, Cambridge, MA 02142

US +1 877 414 4776 (toll free)
Europe +31(0)20 522 4466
www.onehippo.com
_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html
Reply | Threaded
Open this post in threaded view
|

Re: Enhanced Login functionality. Product feature request.

Olivier Bourgeois
Hi,

 anybody thinks it could be interesting to implement a 2-step authentication using Google Authenticator [1] ? Or any other OTP provider.

regards.



On Wed, Jan 23, 2013 at 7:48 AM, Frank van Lankvelt <[hidden email]> wrote:
On Tue, Jan 22, 2013 at 5:20 PM, Jasper Floor <[hidden email]> wrote:
> Yes on  number 2 (force password change) no on number 1.
>
> I think its been mentioned, but if you invalidate a login just because
> someone tries it with incorrect credentials your have created a security
> leak as well an attack vector. Someone can lock out all your users if they
> know who they are. The leak is becuase you are revealing that a certain user
> exists by disabling his account. I do not think you should ever reveal
> details about your system when incorrect credentials are used. The only
> proper response is login failed. Of course, you can disable an account
> without saying so, then you have avoided the leak but left the attack
> vector.
>
Note that the captcha is already implemented.
The captcha that's shown is just additional verification, no account
is disabled.

AFAIK, it is shown after a fixed number of unsuccessful attempts.
Whether they are for existing accounts or not does not matter.  So no
additional information is made available.  The attacker already knew
that she failed to login N times.

cheers, Frank

> mvg,
> Jasper
>
> On Thu, Jan 17, 2013 at 5:15 PM, Oscar Scholten <[hidden email]>
> wrote:
>>
>> Hi,
>>
>> I agree with Jeroen Reijn and Bart that:
>>
>> 1) It may be better to display a capcha after a number of unsuccessful
>> logins, rather than disabling the user's account. This also protects against
>> brute-force attacks.
>>
>> 2) For users and sysadmins it is less manual work if the user can reset
>> his password himself and have an activation link emailed to him.
>>
>> Cheers, Oscar
>>
>>
>> On Thu, Jan 17, 2013 at 5:05 PM, Meijer, Joris
>> <[hidden email]> wrote:
>>>
>>> +1
>>>
>>> _______________________________________________________________________
>>> Joris Meijer
>>> Consultant Online Technology | Capgemini Online
>>>
>>> Capgemini "Netherlands" | Utrecht
>>> Tel.: <a href="tel:%2B31%2030%2068%2093076" value="+31306893076">+31 30 68 93076 - Mob.: <a href="tel:%2B31%206%205158%206350" value="+31651586350">+31 6 5158 6350
>>> www.capgemini.com
>>>
>>> People matter, results count.
>>> _______________________________________________________________________
>>> Connect with Capgemini:
>>>
>>>
>>>
>>> -----Original Message-----
>>> From: [hidden email]
>>> [mailto:[hidden email]] On Behalf Of Bartosz
>>> Oudekerk
>>> Sent: donderdag 17 januari 2013 17:03
>>> To: Hippo CMS 7 implementation list
>>> Cc: [hidden email]
>>> Subject: Re: [Hippo-cms7-user] Enhanced Login functionality. Product
>>> feature request.
>>>
>>> On 17/01/13 16:37, Bart van der Schans wrote:
>>> > Hi Jasper,
>>> >
>>> > I like both ideas!
>>> >
>>> > I just wouldn't consider the mail functionality out of scope. It will
>>> > make the user (admin) experience in both cases a lot smoother.
>>> > Basically on account creation and password resetting you want that an
>>> > email is sent to the user with a random generated password which has
>>> > to be changed by the user on first login. This will reduce the admin
>>> > effort to just a single click.
>>> >
>>> > As an extra option you might want to make this generated password only
>>> > valid for a certain time (a day or a few days) for security reasons.
>>>
>>> +1
>>>
>>> Kind regards,
>>> Bartosz
>>> --
>>> Amsterdam - Oosteinde 11, 1017 WT Amsterdam
>>> Boston - 1 Broadway, Cambridge, MA 02142
>>>
>>> US <a href="tel:%2B1%20877%20414%204776" value="+18774144776">+1 877 414 4776 (toll free)
>>> Europe <a href="tel:%2B31%280%2920%20522%204466" value="+31205224466">+31(0)20 522 4466
>>> http://www.onehippo.com/
>>> _______________________________________________
>>> Hippo-cms7-user mailing list and forums
>>> http://www.onehippo.org/cms7/support/forums.html
>>> This message contains information that may be privileged or confidential
>>> and is the property of the Capgemini Group. It is intended only for the
>>> person to whom it is addressed. If you are not the intended recipient, you
>>> are not authorized to read, print, retain, copy, disseminate, distribute, or
>>> use this message or any part thereof. If you receive this message in error,
>>> please notify the sender immediately and delete all copies of this message.
>>>
>>> _______________________________________________
>>> Hippo-cms7-user mailing list and forums
>>> http://www.onehippo.org/cms7/support/forums.html
>>
>>
>>
>>
>> --
>> Amsterdam - Oosteinde 11, 1017 WT Amsterdam
>> Boston - 1 Broadway, Cambridge, MA 02142
>>
>> US <a href="tel:%2B1%20877%20414%204776" value="+18774144776">+1 877 414 4776 (toll free)
>> Europe <a href="tel:%2B31%280%2920%20522%204466" value="+31205224466">+31(0)20 522 4466
>> www.onehippo.com
>>
>> _______________________________________________
>> Hippo-cms7-user mailing list and forums
>> http://www.onehippo.org/cms7/support/forums.html
>
>
>
> _______________________________________________
> Hippo-cms7-user mailing list and forums
> http://www.onehippo.org/cms7/support/forums.html



--
Amsterdam - Oosteinde 11, 1017 WT Amsterdam
Boston - 1 Broadway, Cambridge, MA 02142

US <a href="tel:%2B1%20877%20414%204776" value="+18774144776">+1 877 414 4776 (toll free)
Europe <a href="tel:%2B31%280%2920%20522%204466" value="+31205224466">+31(0)20 522 4466
www.onehippo.com
_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html


_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html
Reply | Threaded
Open this post in threaded view
|

Re: Enhanced Login functionality. Product feature request.

Bert Leunis
In reply to this post by Oscar Scholten
Whichever ideas work the best, improving on the user/password management is a very good idea. Is that on the roadmap yet?

With kind regards/Met vriendelijke groet,
Bert Leunis

Amsterdam - Oosteinde 11, 1017 WT Amsterdam
Boston - 1 Broadway, Cambridge, MA 02142

US +1 877 414 4776 (toll free)
Europe +31(0)20 522 4466
www.onehippo.com


On Thu, Jan 17, 2013 at 5:15 PM, Oscar Scholten <[hidden email]> wrote:
Hi,

I agree with Jeroen Reijn and Bart that:

1) It may be better to display a capcha after a number of unsuccessful logins, rather than disabling the user's account. This also protects against brute-force attacks.

2) For users and sysadmins it is less manual work if the user can reset his password himself and have an activation link emailed to him.

Cheers, Oscar


On Thu, Jan 17, 2013 at 5:05 PM, Meijer, Joris <[hidden email]> wrote:
+1

_______________________________________________________________________
Joris Meijer
Consultant Online Technology | Capgemini Online

Capgemini "Netherlands" | Utrecht
Tel.: <a href="tel:%2B31%2030%2068%2093076" value="+31306893076" target="_blank">+31 30 68 93076 - Mob.: <a href="tel:%2B31%206%205158%206350" value="+31651586350" target="_blank">+31 6 5158 6350
www.capgemini.com

People matter, results count.
_______________________________________________________________________
Connect with Capgemini:
          


-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Bartosz Oudekerk
Sent: donderdag 17 januari 2013 17:03
To: Hippo CMS 7 implementation list
Cc: [hidden email]
Subject: Re: [Hippo-cms7-user] Enhanced Login functionality. Product feature request.

On 17/01/13 16:37, Bart van der Schans wrote:
> Hi Jasper,
>
> I like both ideas!
>
> I just wouldn't consider the mail functionality out of scope. It will
> make the user (admin) experience in both cases a lot smoother.
> Basically on account creation and password resetting you want that an
> email is sent to the user with a random generated password which has
> to be changed by the user on first login. This will reduce the admin
> effort to just a single click.
>
> As an extra option you might want to make this generated password only
> valid for a certain time (a day or a few days) for security reasons.

+1

Kind regards,
Bartosz
--
Amsterdam - Oosteinde 11, 1017 WT Amsterdam
Boston - 1 Broadway, Cambridge, MA 02142

US <a href="tel:%2B1%20877%20414%204776" value="+18774144776" target="_blank">+1 877 414 4776 (toll free)
Europe <a href="tel:%2B31%280%2920%20522%204466" value="+31205224466" target="_blank">+31(0)20 522 4466
http://www.onehippo.com/
_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html
This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.

_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html



--
Amsterdam - Oosteinde 11, 1017 WT Amsterdam
Boston - 1 Broadway, Cambridge, MA 02142

US +1 877 414 4776 (toll free)
Europe +31(0)20 522 4466
www.onehippo.com

_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html


_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html
Reply | Threaded
Open this post in threaded view
|

Re: Enhanced Login functionality. Product feature request.

abhishek bhardwaj
Hi all i just want some help regarding how to change password and change profile................

_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html
Reply | Threaded
Open this post in threaded view
|

Re: Enhanced Login functionality. Product feature request.

Bert Leunis
Hello Abhishek,

Your question is only very slightly related to the topic in this thread. Please start a new thread to get help on this.

With kind regards/Met vriendelijke groet,
Bert Leunis

Amsterdam - Oosteinde 11, 1017 WT Amsterdam
Boston - 1 Broadway, Cambridge, MA 02142

US +1 877 414 4776 (toll free)
Europe +31(0)20 522 4466
www.onehippo.com


On Tue, Feb 5, 2013 at 11:07 AM, Abhishek Bhardwaj <[hidden email]> wrote:
Hi all i just want some help regarding how to change password and change profile................

_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html


_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html
Reply | Threaded
Open this post in threaded view
|

Re: Enhanced Login functionality. Product feature request.

Oscar Scholten
In reply to this post by Bert Leunis
Hi Bert/Olivier,

I haven't heard the requirement to do a two step authentication before. As such, it's not on our roadmap.

Cheers, Oscar


On Tue, Feb 5, 2013 at 9:57 AM, Bert Leunis <[hidden email]> wrote:
Whichever ideas work the best, improving on the user/password management is a very good idea. Is that on the roadmap yet?

With kind regards/Met vriendelijke groet,
Bert Leunis

Amsterdam - Oosteinde 11, 1017 WT Amsterdam
Boston - 1 Broadway, Cambridge, MA 02142

US <a href="tel:%2B1%20877%20414%204776" value="+18774144776" target="_blank">+1 877 414 4776 (toll free)
Europe <a href="tel:%2B31%280%2920%20522%204466" value="+31205224466" target="_blank">+31(0)20 522 4466
www.onehippo.com


On Thu, Jan 17, 2013 at 5:15 PM, Oscar Scholten <[hidden email]> wrote:
Hi,

I agree with Jeroen Reijn and Bart that:

1) It may be better to display a capcha after a number of unsuccessful logins, rather than disabling the user's account. This also protects against brute-force attacks.

2) For users and sysadmins it is less manual work if the user can reset his password himself and have an activation link emailed to him.

Cheers, Oscar


On Thu, Jan 17, 2013 at 5:05 PM, Meijer, Joris <[hidden email]> wrote:
+1

_______________________________________________________________________
Joris Meijer
Consultant Online Technology | Capgemini Online

Capgemini "Netherlands" | Utrecht
Tel.: <a href="tel:%2B31%2030%2068%2093076" value="+31306893076" target="_blank">+31 30 68 93076 - Mob.: <a href="tel:%2B31%206%205158%206350" value="+31651586350" target="_blank">+31 6 5158 6350
www.capgemini.com

People matter, results count.
_______________________________________________________________________
Connect with Capgemini:
          


-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Bartosz Oudekerk
Sent: donderdag 17 januari 2013 17:03
To: Hippo CMS 7 implementation list
Cc: [hidden email]
Subject: Re: [Hippo-cms7-user] Enhanced Login functionality. Product feature request.

On 17/01/13 16:37, Bart van der Schans wrote:
> Hi Jasper,
>
> I like both ideas!
>
> I just wouldn't consider the mail functionality out of scope. It will
> make the user (admin) experience in both cases a lot smoother.
> Basically on account creation and password resetting you want that an
> email is sent to the user with a random generated password which has
> to be changed by the user on first login. This will reduce the admin
> effort to just a single click.
>
> As an extra option you might want to make this generated password only
> valid for a certain time (a day or a few days) for security reasons.

+1

Kind regards,
Bartosz
--
Amsterdam - Oosteinde 11, 1017 WT Amsterdam
Boston - 1 Broadway, Cambridge, MA 02142

US <a href="tel:%2B1%20877%20414%204776" value="+18774144776" target="_blank">+1 877 414 4776 (toll free)
Europe <a href="tel:%2B31%280%2920%20522%204466" value="+31205224466" target="_blank">+31(0)20 522 4466
http://www.onehippo.com/
_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html
This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.

_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html



--
Amsterdam - Oosteinde 11, 1017 WT Amsterdam
Boston - 1 Broadway, Cambridge, MA 02142

US +1 877 414 4776 (toll free)
Europe +31(0)20 522 4466
www.onehippo.com

_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html


_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html



--
Amsterdam - Oosteinde 11, 1017 WT Amsterdam
Boston - 1 Broadway, Cambridge, MA 02142

US +1 877 414 4776 (toll free)
Europe +31(0)20 522 4466
www.onehippo.com

_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html