diff --git a/Rewritten-docs.md b/Rewritten-docs.md index 8adbd9c..91afb33 100644 --- a/Rewritten-docs.md +++ b/Rewritten-docs.md @@ -531,33 +531,33 @@ solution was found. ### Forgotten password -With authentication and some sort of dealing with passwords is related problem -with forgotten passwords. People easily forget them and there has to be some -kind of mechanism to retrieve new password or change old one. Problem is it -cannot be done in totally secure way but we can at least come quite close to it. -But lets start from the beginning there are ways to handle that which are -absolutely not secure and recommendable, for example sending old password -through email. Better solution but still not secure is to generate new one and +With authentication and some sort of dealing with passwords is related a problem +with forgotten credentials, especilly passwords. People easily forget them and +there has to be some kind of mechanism to retrieve a new password or change the +old one. Problem is that it cannot be done in totally secure way, but we can at +least come quite close to it. First, there are absolutely not secure and +recommendable ways to handle that, for example sending the old password through +email. A better, but still not secure solution is to generate a new one and again send it through email. This solution was provided in CodEx, users had to -write email to administrator who generated new password and sent it back to -sender. This simple solution could be also automated but administrator had quite -a big control over whole process which might come in handy there could be some -additional checkups for example, but on the other hand it can be quite time -consuming. - -Probably the best solution which is quite used and fairly secure is following. -Lets consider only case in which all users have to fill email addresses into -system and these addresses are safely in the hands of the right users. At the -beginning user finds out that he/she does not remember password after that user -requests password reset and fill in his/her unique identifier, it might be email -or unique nickname. Based on matched user account system generates unique access -token and sends it user email address. Tokens should be time limited and usable -only once so they cannot be misused. User then takes token or address which was -provided in email and go to system in appropriate section, where new password -can be set. After that user can sign in with his new password. As stated this -solution is quite safe and user can handle it on its own administrator does not -have to worry about it. That is why this approach was chosen to be used in -ReCodEx. +write an email to administrator, who generated a new password and sent it back +to the sender. This simple solution could be also automated, but administrator +had quite a big control over whole process. This might come in handy if there +could be some additional checkups for example, but on the other hand it can be +quite time consuming. + +Probably the best solution which is often used and is fairly secure is +following. Let us consider only case in which all users have to fill their +email addresses into the system and these addresses are safely in the hands of +the right users. When user finds out that he/she does not remember a password, +he/she requests a password reset and fill in his/her unique identifier; it might +be email or unique nickname. Based on matched user account the system generates +unique access token and sends it user via email address. This token should be +time limited and usable only once, so it cannot be misused. User then takes the +token or URL address which is provided in the email and go to the system's +appropriate section, where new password can be set. After that user can sign in +with his/her new password. As previously stated, this solution is quite safe and +user can handle it on its own, so administrator does not have to worry about it. +That is the main reason why this approach was chosen to be used in ReCodEx. ### Evaluation unit executed by ReCodEx