[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Best practices for providing user name and password for a web-based app?

Posted on 2012-04-11
2
Medium Priority
?
514 Views
Last Modified: 2012-06-21
Would appreciate advise on best practices for setting up user accounts and passwords.

I have a web-based app running on a hosted Linux server, latest version Apache, PHP, SQL. SSL is used for this site.

It's necessary to allow some users of this app to setup accounts for other users. Here's how the process works today:
1)  User 1 logs in, we will call this user Admin.
2)  Admin creates a new user by entering form data which includes new user's name and email address. When Admin posts back to the server a random password is then created, encrypted (using hash/salt) and stored in SQL. The proper SQL-injection guards are in place.
3)  An email is then sent to the new user giving them both a username and the random password.
4)  When the new user logs in they are forced to change the password.

The Admin has to be trusted to have the correct email for the new user and be allowed to create new users on their own, that's not the issue. My concern is with the security of sending the username and password through email. But, I can't get my head around any other way to do this. If I change it so that a link is sent to the new user that info could be intercepted as easily as sending a username and password. The only verifiable data we have on the new user is their email.

What do best practices suggest?
0
Comment
Question by:jimdgar2
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 14

Assisted Solution

by:binaryevo
binaryevo earned 1000 total points
ID: 37834594
That's going to be tough if all you have is an email.  I'm not sure that you could effectively secure this other than the way you are already doing it.  My suggestion is to try and add a challenge question / response or something likewise in addition to the email so you have another means of authorizing the user when they login with the temp password.  This will obviously require them to know the information so it adds another level of security.
0
 
LVL 30

Accepted Solution

by:
Olaf Doschke earned 1000 total points
ID: 37835180
How about changing the process?

Admin sends an invite to a user to create his own account, which is done in a normal fashion with the difference the admin needs to approve the new account before it gets active. Even if someone catches that invite (probably some invite code) or the invited user shares his invite, that only allows user account creation of dead accounts, even if not deactivating the invite code after it's usage, And all these accounts, but the first, will never be approved.

This way the password is never sent by mail.

But if you are concerned about the password sent by mail, you should also be concerned about the password being sent through http request, even as a POST request, this is cleartext, if the account creation and login are not done using SSL/https.

The only flaw this has is if a user shares his mail with friends, relatives or such. If they have access to the mailbox and can create the account and determine the password, be approved, delete the invite mail, and the real invited person never knows.

But that's perhaps less problematic than sending a password in mail.

Most webhosters I know simply do send out mails with passwords. You have to start somehow and if you don't allow anyone to create new accounts forcing a password change after first login is a feasable solution, too.

Bye, Olaf.
0

Featured Post

Plesk WordPress Toolkit

Plesk's WordPress Toolkit allows server administrators, resellers and customers to manage their WordPress instances, enabling a variety of development workflows for WordPress admins of all skill levels, from beginners to pros.

See why 2/3 of Plesk servers use it.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to security, close monitoring is a must. According to WhiteHat Security annual report, a substantial number of all web applications are vulnerable always. Monitis offers a new product - fully-featured Website security monitoring and pr…
Originally, this post was published on Monitis Blog, you can check it here . In business circles, we sometimes hear that today is the “age of the customer.” And so it is. Thanks to the enormous advances over the past few years in consumer techno…
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question