password and confirm password entries to database - html

in my html form there are two fields for password, one password and other confirm password. If the first password field does not match the second password field than do not submit the form to the database.

This is kind of a long shot since I don't know what your code looks like but this is a javascript example of disabling the submit button until passwords match.
var pass1 = document.getElementById('p1');
var pass2 = document.getElementById('p2');
if(pass1.value == pass2.value)
{
document.getElementById("enableButton").disabled = false;
}
else {
document.getElementById("enableButton").disabled = true;
}

Without knowing anything about your code - you should (could) do two things:
Verify that both passwords are the same via JavaScript on client side. That will bring up a better user-experience as you are able to display an error message / disable the form submission when the passwords are not the same. But please consider - many users still have disabled javascript by default, so that can not be the only validation.
Verify that the passwords are the same in PHP / Server-side code. How exactly you would achieve that depends on your scripting languages / architecture.
There are some in-depth discussions out there regarding password / authentication best-practices: this discussion or this cheat-sheet at owasp or this one in the php faq. Please take the security fundamentals mentioned there into account, too.

Related

Populating password input fields on client

this question has been posed in many flavours, but no one fits my needs.
I'm working on a partially complete Razor project; the original developer has left our office, and he wasn't much concerned about securing password fields, as he left all of them in clear.
These passowrd fields authorize several aspects (Ftp primary and secondary access, Ftp on AS400 and mail sending), so nothing related with login/submit forms. When I changed these fields from text to password, they revert to blank fields, regardless the content of the View Model, and this should be the correct behaviour, as per the numerous answers I've seen googlin around.
My problem is this: the user needs to know at least if a password has been configured (seeing a string of * or any other mask character the browser use), so I need to show him that value to let him know if the service is configured, and the best would be to let him also reveal the password to check if it's correct. The option to not update the particular field in the DB if it's left blank is not an option.
This site works only on Intranet, so there is no concern about hackers monitoring the connection or similar.
I've tried all (I think) the possible combinations, including building the input element manually through html, using the #Html.TextFor and #Html.PasswordFor helpers, decorating the corrisponding member in the view model with [DataType(DataType.Password)]. The data is binded when the page is loaded, so no ajax calls help me retrieving data.
I'm relatively new to Razor, as my last two projects are entirely in PHP.
Thanks for any suggestions.
Ok, no other solution found than issuing an ajax call to a dedicated HttpGet controller method to retrieve only the password fiels, then populating the dedicated fields when the controller returns the object containing all the password I need.

MediaWiki - Require confirmed emails before allowing read?

I'm trying to setup a MediaWiki for university students. Using the EmailDomainCheck, I prevent anyone except those with a university based email from creating accounts. Using $wgEmailConfirmToEdit, I can require that an email is confirmed before the user can edit files. However, as it is, a user can use a fake email from the correct domain to create an account. With the account they can view all pages (even though they cannot edit them). I do not want to grant them read access unless the email has been confirmed. Is this possible? Note, I want all confirmed emails of the correct domain to be automatically accepted. It should not require manual account creation acceptance.
You could try the following, as outlined in the Documentation
# Disable for everyone.
$wgGroupPermissions['*']['read'] = false;
# Disable for users, too: by default 'user' is allowed to read, even if '*' is not.
$wgGroupPermissions['user']['read'] = false;
# Make it so users with confirmed email addresses are in the group.
$wgAutopromote['emailconfirmed'] = APCOND_EMAILCONFIRMED;
# Hide group from user list.
$wgImplicitGroups[] = 'emailconfirmed';
# Finally, set it to true for the desired group.
$wgGroupPermissions['emailconfirmed']['read'] = true;
As Jenny Shoars has mentioned, you may wish to whitelist some pages such as:
$wgWhitelistRead = array("Main_Page", "Special:CreateAccount", "Special:ConfirmEmail");
So that non registered users can still create accounts and the like.
In theory,
$wgGroupPermissions['*']['read'] = false;
$wgGroupPermissions['emailconfirmed']['read'] = true;
should work. In practice, MediaWiki almost always used with an "everyone can read" or "you can read iff you are logged in" setup and others are not very well tested, so if that wiki had some highly sensitive private information I wouldn't do this, but I imagine for a university website that's not the case.
Alternatively, it should not be too hard to integrate an email confirmation step into account creation, but you'd have to write the code for that. EmailAuth (which does a similar check during login) might give you an idea of how that would look.

CakePHP 3: Encrypt/decrypt password

How can I show the decrypted user password in an edit form?
I am using DefaultPasswordHasher for Hashing passwords while registration of users using this:
protected function _setPassword($password) {
return (new DefaultPasswordHasher)->hash($password);
}
It works well and the password is encrypted...
But when I used user table in view page and edit page it shows the encrypted password. So how can I decrypt the password in the controller and when edit page it also decrypt and store in database in CakePHP 3.x?
Simple answer is: You can't
The whole point of hashing is that you cannot reverse engineer the password. So that when your database is hacked or leaked no harm can be done with the passwords.
Any website showing you your own password has a severe security problem and I would not use it.
There is also no point in showing the encrypted password. Editing a password is not needed, you just overwrite the old one (when they can still provide their old one ofc), and if one of your user forget their own password you should provide them with a recovery system using their email for example.

Check If Field Has Been Modified

I'm working on a user system, and I want to use the beforeValidate hook to hash the user's password with bcrypt. However, if the password is not changed, I want it to skip hashing the password. I know it's possible in MongoDB/Mongoose, but I haven't stumbled across anything comparable to Mongoose's isModified function.
Is there anything that I can use to check if it's modified? Or would be setting the password via an InstanceMethod be the only way to do that?
Sequelize has the .changed() method which can be used to check whether an attribute has been changed:
http://sequelize.readthedocs.org/en/latest/api/instance/#changedkey-booleanarray

Best way of retrieving lost password

What is the best method to reset a user password when password is hashed:
Reset a password to a random string and send that string to their registered mail?
Create a unique hash link for resetting password which is valid for an hour and sending that link to mail?
Any other method?
Create a unique hash link for resetting password which is valid for an hour and sending that link to mail
This is the method that I prefer. It allows you only to reset the password if and only if the user visits the link. This way, if someone is maliciously trying to reset passwords, the user can simply delete the email and be unaffected (not have to enter a new password).
Also, you should give the reset link some sort of longer expiration date (like 12 to 24 hours).
2 is the best method. Never ever mail a password in plain form. Even better, don't keep it in your system this way. Always have it hashed and salted.
Follow-up to comments: Emailing hashes instead of plain passwords may also be insecure but you are pursuing a different goal through this. Many people use the same password for all sites, from Facebook up to online-banking. A particular hash may get compromized, but not the password itself, which is the point.
#2 is preferable to #1 if only because sending a password in plain text via email exposes it unnecessarily.
Other options are:
use password hint questions
use OpenID and punt the entire problem to the user's OpenID provider.
It depends on the sensitivity of the information you are protecting...
There is a fine balance between security and usability, and you need to decide where it is, and what assets you are protecting.
What I would normally do (assuming to financial data is involved) is option 2, minus the 1 hour limit.
I found a really interesting method on some websites: they are sending you a new password via SMS. This is awesome because the e-mail can be hacked but the phone... I don't think can be easily hacked.