Review settings improvements please

Back to General discussions forum

Rodion (admin)     2020-07-25 08:25:52
User avatar

Hi Friends!

Our website was lacking several general functions for accounts using login/passwort to enter: e.g. changing password and password reminder option.

Main reason was that such functionality, though not complicated, requires careful logic and implementation to prevent security troubles for people.

Now I'm adding these features step by step, and as I currently have no security guru to consult, let's review them together - please tell if at some point my logic seems endangering accounts.

  1. Password Change (already in settings page) - requires providing old password and twice new password. This seems typical - so that if user left the laptop unattended, some joker can't easily set new password (without knowing old one). However we are not sending any confirmation emails (as we don't want to store emails) - should be ok?

  2. Email Change (also already in settings page) - requires current password and new email address. The idea is the same - wrongdoer can't change email even if got temporary access to computer with CA account open in browser. But again we don't send any emails.

  3. Github linking (also in settings page) - user can attach github account and then login using it. Current password should be supplied for the same reason. It is similar to registering via github from beginning, but retains ability to login with password. However email is erased from database and so feature of "reminding" password will be disabled.

  4. Remind Password (work in progresss) - user shall enter username and email on dedicated page. If email matches one stored for this username in database (or rather their hashes), email is sent with alternative password. If user enters with this alternative password (say, within a hour), it is set as new password. Ideally user should then change password to something different.

  5. Email hashing (also upcoming) - we don't want to store emails really (both because we don't want to send anything usually - and to easier comply with modern internet privacy rules) - instead we should store, say, initial letter, domain and hash of email. So that when user wants to be emailed (e.g. by password reminder) email should be re-entered in web-form (and its hash compared to one stored in database). Advantage is that even if website is hacked addresses are not stolen. Disadvantage is that user may not easily remember what email he/she set up. I thought this is already done in 2018, but seemingly I forgot to finish such move then, sorry.

This "password reminder" leaves a kind of popular vulnearbility - if computer is left unattended with both CodeAbbey account open and email open too (say, in other tab of browser) - which may be not rare in school/university circumstances, for example - some "friend" can successfully change password.

I don't see obvious easy protection from this. There are various schemes with 2-factor authentication and even messages sent to cell-phone - but for our small and insignificant web-site this seems to be overkill.

Thus if user thinks password could be changed by his/her "friends" in such manner, there are multiple ways to prevent it:

  • link Github account so reminder feature is disabled, and optionally enjoy 2-factor authentication (also available for accounts registered with Facebook or Gmail)
  • set up different, rarely used email, not known to most of friends and relatives
  • or set up non-functional email and never forget password :)

That's all I can think of at the moment. Please tell whether this sounds logical or there are obvious mistakes.

qwerty     2020-07-25 10:18:49

I'm not a security guru, but please take my opinion into consideration.

First, your site does not check if email which user is provided at registration time really exists, how you can ever think of sending confirmation emails?

Second, password reminder option is useless for the same reason. If you really wanted to add such option, of course you thought it through carefully and added alternative options to restore password, am I right? And of course, alternative options should require very careful checks, at least add the form to upload photo of user passport and to ask him/her some control questions.

Github linking, password change (without sending confirmation emails) and email hashing features are okay for me.

And there is one important feature absent on your site. Please add an option to delete Code Abbey account.

Thank you for reading this.

qwerty     2020-07-25 10:35:18

And the page for login/register still states that no emails will be sent. I hope this remains as is, but if you change this, do not forget to update information on login/register page.

Rodion (admin)     2020-07-25 11:02:44
User avatar

Hi, thanks for speedy response!

but please take my opinion into consideration

That is my intention, that is why I ask for opinions :)

your site does not check if email which user is provided at registration time really exists, how you can ever think of sending confirmation emails?

I probably don't understand - what "confirmation email" we are speaking of? We don't intend to send any. E.g. it's ok if person enters non-existent email (though it won't be useful for password restoring).

Second, password reminder option is useless for the same reason.

Here again I'm not sure I understand. If person entered correct e-mail, password could be restored. Otherwise, if person entered incorrect email, it's better not to forget password. We leave this choice to user...

And of course, alternative options should require very careful checks, at least add the form to upload screenshots of user passport

I think there won't be such options, e.g. because passports don't exist in many countries, and because processing user's personal data may be close to unlawful in many countries nowadays. And anyway we don't know user's real name to match with passport, right?

So we take some measures to help restoring access to account if password is forgotten, but are not going to take any extraordinary measures. It would overhead for hobby site :)

Still people can use GH / FB / Gmail account to register to have all their options (it is also preferable for our site so we don't need to store any sensitive data at all).

Please add an option to delete Code Abbey account.

During few years of site existence there were about dozen requests of such kind. However the idea is poorly understood: what exactly do you mean under "deleting account"? Which data?

And the page for login/register still states that no emails will be sent. I hope this remains as is

Yes, in my opinion it should remain - and anyway if we want to get rid of storing emails - we won't know where to send them, right (email couldn't be sent by hash of address, of course).

qwerty     2020-07-25 13:14:05

Hello, Rodion.

I probably don't understand - what "confirmation email we are speaking of?

In the first message you wrote:

However we don't send any confirmation emails - should be ok?

This is what I talked about. Yes, should be ok.

What you mean under "deleting account". Which data?

Under this I mean the following actions:

  1. Most importantly, delete login data for that user (Github/Facebook/Gmail linking or password/email pair). So no anyone can log in and speak on behalf on that user.
  2. Delete all the solutions related to that user from database.
  3. Delete all messages of that user from forum.

The solutions and forum posts can be transferred to user "unknown" instead of deletion if you find this approach easier to implement. Login data should not be transferred to anyone :).

Rodion (admin)     2020-07-25 13:34:43
User avatar

Deleting solutions is extremely unwanted feature I'd say.

There are several problems - one is detecting cheaters. We have sometimes onflows of people from specific schools, seemingly trying to solve say 50 problems (supposedly told so by teacher) and reusing solutions. Obviously if they will show solutions to teacher and then delete account with solutions, it would be more annoying than now.

The second is such account deletions will lead to broken links if any refers to them. Thirdly this may lead to slight rearranging of ranking.

None of this is critical and also of course solutions could be overwritten manually, but I don't see reason to remove solutions really, they are not personal data etc.

Deleting messages from forums will lead to some threads looking awkward and is generally quite annoying feature. That is why even editing usually is allowed only for some brief time.

As to obfuscating login data... well, this could be done... yes

qwerty     2020-07-25 14:03:11

Yeah, this is why I said solutions and posts can be transferred to some pseudo-user instead of deletion.

And anyway it is not very important and can be skipped. What is important is to delete login data. It pains me so much to think that some imposter can crack password and start harassing people, ruining my reputation, like it was on other site. It would be ok if I logged in soon and brought my apologies, but I wasn't visiting site for some time.

When I finally visited this site after three years of absence, I was very unhappy to read what was written by "me".

Rodion (admin)     2020-07-25 15:15:46
User avatar

When I finally visited this site after three years of absence, I was very unhappy to read what was written by "me".

Hm-m-m. Can you give more details about this story? This is alarming and if there is no mistake I would be interested to figure out how this happened?

qwerty     2020-07-25 15:40:18

You see, I'm a low-qualified specialist so no organisation wants to employ me. Because of this, I'm self employed and is trying to find job on different freelance sites and forums. l don't even remember all these sites and it can be that I do not visit some of these sites for a long period. Surely attacker noticed an abandoned account, and tried to crack password. I do not know how he/she suceeded though, I'm not a guru on information safety, and said about it in the very first post of this topic.

qwerty     2020-07-25 15:51:44

Well, your site is not a freelance site or specialized forum, so... probably this is not worth the effort to implement deletion in any form. Sorry for my stupid suggestion, this site is good enough as it is.

Rodion (admin)     2020-07-25 16:04:05
User avatar

Hm-m-m, I'm a bit puzzled, as I don't understand do you mean someone hacked your account at this site or some other.

If you will remember specific account etc - please share so I can at least try to investigate, whether we have some general security problem...

It's not a stupid suggestion, don't worry (as I mentioned some people asked about this). On contrary thanks you for participation in this discussion. With deletion I meant I would like to better understand what is the goal of deletion, as, for example, it is hard to hide information in that way provided that most sites are often enough copied by "wayback machine", search engine caches etc...

The idea of prevention of misusing account sounds interesting - I think we'll add deletion feature in future then.

Hopefully people won't ask for "undelete" feature after that :)

qwerty     2020-07-26 05:00:46

..as I don't understand do you mean someone hacked your account at this site or some other.

This was on other site, not here.

Please login and solve 5 problems to be able to post at forum

© 2013-2024 by Rodion Gorkovenko
with the help of You All
Contacts and Support
Issues and Ideas
Privacy Policy