I have created OFBIZ-11244 for that. I'll work on it ASAP
Jacques
Le 07/10/2019 à 10:15, Jacques Le Roux a écrit :
Thanks Paul,
Very good points indeed
Jacques
Le 07/10/2019 à 02:59, Paul Foxworthy a écrit :
I agree with Jacques and Nicolas - remove it.
Security is only as good as its weakest link (
https://www.schneier.com/essays/archives/2005/02/the_curse_of_the_sec.html)
, and security questions can be a real weakness. Any organisation using
OFBiz that really hates passwords could look at security keys from Yubico
or the like.
Cheers
Paul Foxworthy
On Tue, 1 Oct 2019 at 03:29, Nicolas Malin <nicolas.ma...@nereide.fr> wrote:
I lean in remove it, it's not a functionality really up to date with
code complexity for a few 'most valuable'.
Nicolas
On 9/29/19 11:08 AM, Jacques Le Roux wrote:
Le 26/09/2019 à 11:47, Jacques Le Roux a écrit :
Hi,
Below is a summary of the situation, you can refer to the Jira issues
comments for more information.
With OFBIZ-4983 and r1716915, basically a feature was implemented to
allow an eCommerce customer to create a security question while
creating his/her account. The user could then answer the security
question to get his/her password through email.
This feature was partly removed while fixing OFBIZ-4361, where
basically a JWT is used to safely ask for a new password through and
email
With OFBIZ-11206 patch it's possible to create a security question
but only in partymgr. When used from "forgot your password" feature,
if you have also set a password hint, you get on screen the value of
your password hint.
As I wrote in OFBIZ-11206:
/"I wonder if it makes sense to keep this feature as is. It seems
convoluted to me. Why ask a question to get a password hint? //
//It seems a lot to remember:/
//
1. /The choice of the security question/
2. /The answer to this security question/
3. /The relation between the password hint and the password itself/
//
/I see only a good thing in this feature: you don't have to change
your password. But sincerely do we really need a such feature? I
finally think
than rather fixing the current state we should remove the feature
all together. IMO, the password link in an email done a safe way is
enough. //
/
/The point to keep in mind is that OOTB all OFBiz users must have
an email, apart anonymous which have no passwords anyway."/
So, as suggested Nicolas, either we
* /"We continue to support this and I will increase coherence of
that/
* /We abandon it and I will remove all code linked to this
deprecated feature"/
What do you think?
Thanks
Jacques
Hi All,
Without answers I'll consider that we don't want to keep the password
hint stuff. It seems like a duplicate of the now safe emailed password
change to me.
So I'll remove it in a week
Thanks
Jacques
