|
|
@ -531,33 +531,33 @@ solution was found.
|
|
|
|
|
|
|
|
|
|
|
|
### Forgotten password
|
|
|
|
### Forgotten password
|
|
|
|
|
|
|
|
|
|
|
|
With authentication and some sort of dealing with passwords is related problem
|
|
|
|
With authentication and some sort of dealing with passwords is related a problem
|
|
|
|
with forgotten passwords. People easily forget them and there has to be some
|
|
|
|
with forgotten credentials, especilly passwords. People easily forget them and
|
|
|
|
kind of mechanism to retrieve new password or change old one. Problem is it
|
|
|
|
there has to be some kind of mechanism to retrieve a new password or change the
|
|
|
|
cannot be done in totally secure way but we can at least come quite close to it.
|
|
|
|
old one. Problem is that it cannot be done in totally secure way, but we can at
|
|
|
|
But lets start from the beginning there are ways to handle that which are
|
|
|
|
least come quite close to it. First, there are absolutely not secure and
|
|
|
|
absolutely not secure and recommendable, for example sending old password
|
|
|
|
recommendable ways to handle that, for example sending the old password through
|
|
|
|
through email. Better solution but still not secure is to generate new one and
|
|
|
|
email. A better, but still not secure solution is to generate a new one and
|
|
|
|
again send it through email. This solution was provided in CodEx, users had to
|
|
|
|
again send it through email. This solution was provided in CodEx, users had to
|
|
|
|
write email to administrator who generated new password and sent it back to
|
|
|
|
write an email to administrator, who generated a new password and sent it back
|
|
|
|
sender. This simple solution could be also automated but administrator had quite
|
|
|
|
to the sender. This simple solution could be also automated, but administrator
|
|
|
|
a big control over whole process which might come in handy there could be some
|
|
|
|
had quite a big control over whole process. This might come in handy if there
|
|
|
|
additional checkups for example, but on the other hand it can be quite time
|
|
|
|
could be some additional checkups for example, but on the other hand it can be
|
|
|
|
consuming.
|
|
|
|
quite time consuming.
|
|
|
|
|
|
|
|
|
|
|
|
Probably the best solution which is quite used and fairly secure is following.
|
|
|
|
Probably the best solution which is often used and is fairly secure is
|
|
|
|
Lets consider only case in which all users have to fill email addresses into
|
|
|
|
following. Let us consider only case in which all users have to fill their
|
|
|
|
system and these addresses are safely in the hands of the right users. At the
|
|
|
|
email addresses into the system and these addresses are safely in the hands of
|
|
|
|
beginning user finds out that he/she does not remember password after that user
|
|
|
|
the right users. When user finds out that he/she does not remember a password,
|
|
|
|
requests password reset and fill in his/her unique identifier, it might be email
|
|
|
|
he/she requests a password reset and fill in his/her unique identifier; it might
|
|
|
|
or unique nickname. Based on matched user account system generates unique access
|
|
|
|
be email or unique nickname. Based on matched user account the system generates
|
|
|
|
token and sends it user email address. Tokens should be time limited and usable
|
|
|
|
unique access token and sends it user via email address. This token should be
|
|
|
|
only once so they cannot be misused. User then takes token or address which was
|
|
|
|
time limited and usable only once, so it cannot be misused. User then takes the
|
|
|
|
provided in email and go to system in appropriate section, where new password
|
|
|
|
token or URL address which is provided in the email and go to the system's
|
|
|
|
can be set. After that user can sign in with his new password. As stated this
|
|
|
|
appropriate section, where new password can be set. After that user can sign in
|
|
|
|
solution is quite safe and user can handle it on its own administrator does not
|
|
|
|
with his/her new password. As previously stated, this solution is quite safe and
|
|
|
|
have to worry about it. That is why this approach was chosen to be used in
|
|
|
|
user can handle it on its own, so administrator does not have to worry about it.
|
|
|
|
ReCodEx.
|
|
|
|
That is the main reason why this approach was chosen to be used in ReCodEx.
|
|
|
|
|
|
|
|
|
|
|
|
### Evaluation unit executed by ReCodEx
|
|
|
|
### Evaluation unit executed by ReCodEx
|
|
|
|
|
|
|
|
|
|
|
|