Page MenuHomePhabricator
Create Task
Maniphest T9512

"Change Password" should prompt users to "Reset Password" if no password has been set
Closed, ResolvedPublic
Actions

Description

From Q161, I tried to reproduce at rP HEAD and yes, it's reproducible.

  1. Create an account using OAuth,
  2. You feel you want to use user/password option when logging in.
  3. go to settingspassword
  4. Trying to put required 'old password', you realize you cannot put old password because OAuth creation form didn't ask you for password.

Revisions and Commits

rP Phabricator
D20120rP5a89da12e293 When users have no password on their account, guide them through the "reset…

Related Objects

Event Timeline

revi created this task.Oct 5 2015, 3:00 PM
revi updated the task description. (Show Details)
revi added a project: Auth.
revi added subscribers: revi, Intrainos, chad.
revi mentioned this in Q161: How to use username/password option on OAuth account (Answer 195).Oct 5 2015, 5:29 PM
554816806 added a parent task: T9362: Support viewerprojects() and implement viewerpackages() in Audit ApplicationSearch.Oct 13 2015, 12:58 AM
epriestley removed a parent task: T9362: Support viewerprojects() and implement viewerpackages() in Audit ApplicationSearch.Oct 13 2015, 12:59 AM
eadler added a project: Restricted Project.Jan 8 2016, 10:25 PM
eadler moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Jan 8 2016, 10:41 PM
epriestley renamed this task from OAuth created account cannot have a password to "Change Password" should prompt users to "Reset Password" if no password has been set.Apr 3 2016, 1:15 PM
epriestley triaged this task as Low priority.
Herald added a subscriber: eadler. · View Herald TranscriptApr 3 2016, 1:15 PM
epriestley added a subscriber: epriestley.Apr 3 2016, 1:20 PM

The workflow to set a password on an account which does not have one is:

  • Log out.
  • Use the "Reset Password" workflow to get a password reset email.
  • Use that to set a password.

It's intentional that this flow is a little more involved than just typing a password.

One attack that "just type a password" allows is that an attacker can wait for you to get up without locking your terminal, then quickly add a password to your account and log in from elsewhere. This can be fast and hard to detect.

Forcing you through a reset + email workflow isn't much better (since you're probably logged in to Gmail or whatever too, in a different window on the same machine), but does make this attack at least marginally more difficult to execute without alerting the account owner (it will take longer, they may see the email on their phone before you can destroy it, etc).

When setting a password for the first time like this, we should probably also MFA you if we don't already. That should make the attack a bit more difficult.

dlutcat added a subscriber: dlutcat.Jun 8 2016, 6:20 AM
eadler moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Jul 4 2016, 9:06 PM
epriestley moved this task from Backlog to Next on the Auth board.Feb 5 2019, 2:06 PM
epriestley mentioned this in D20111: During first-time setup, create an administrator account with no authentication instead of weird, detached authentication.Feb 6 2019, 11:33 PM
epriestley added a revision: D20120: When users have no password on their account, guide them through the "reset password" flow in the guise of "set password".Feb 7 2019, 3:25 AM
epriestley mentioned this in rP55c18bc90041: During first-time setup, create an administrator account with no authentication….Feb 12 2019, 10:47 PM
epriestley closed this task as Resolved by committing rP5a89da12e293: When users have no password on their account, guide them through the "reset….Feb 12 2019, 11:19 PM
epriestley added a commit: rP5a89da12e293: When users have no password on their account, guide them through the "reset….
Phabricator · Built by Phacility