Skip Navigation

Search

PostFreely @flamewar.social reiver @flamewar.social
Request-For-Comments

PostFreely: Password Reset

I am investigating improving password resetting in the PostFreely applications.

PostFreely inherited limited password reset abilities. I am now looking at improving this. And making it so that PostFreely has a more comprehensive set of methods for resetting passwords.

Please reply with your comments, questions, complaints, and any other feedback.

---

A basic operation of many (maybe most) applications is signing-in.

There are many different techniques an application could offer its users to enable them to sign-in.

---

For example —

  • e-mail address and one-time auth-code (sent to said e-mail address),
  • finger-print recognition,
  • user ID & time-based one-time password,

---

PostFreely currently does something different.

Currently PostFreely offers a popular, well-known method for its users to use to sign-in —

  • e-mail address & password.

---

A trade-off with using passwords, as PostFreely does, is that people sometimes forget their passwords.

A solution to this problem is — resetting a user's password.

---

Currently PostFreely only has two methods for resetting the password:

  1. a technical sysop with access to the command-line on the server uses the postfreely executable file to interactively reset the user's password to some value,
  2. an administrator uses a web-based method to reset a user's password.

---

Some problems with this are —

  • currently a user cannot reset their own password,
  • currently an administrator's password cannot be reset — if they or someone else cannot directly access the server, or if they are not comfortable using a terminal-emulator,
  • currently there are not any good ways of automating password resets via 3rd party tools.

---

Plan

PostFreely should have a more comprehensive set of methods to reset passwords —

  • a user should be able to reset their own password from the web-site,
  • a technical sysop should have a non-interactive way to reset a user's password from the command-line, so that it lends itself to automation,
  • a special API should exist for resetting any password including the admin, so that a technical sysop can use it for automation,
    • (special care needs to be paid attention on how to secure this.)

---

Please reply with your comments, questions, complaints, and any other feedback.

---

⸺ Charles Iliya Krempeaux ( @[email protected] )

0