Automatic Password Reset

From: Ethan Post <post.ethan_at_gmail.com>
Date: Wed, 16 Sep 2015 10:26:24 -0400
Message-ID: <CAMNhnU0zF4n1d25RsgUdt1e6rp5+xz1B3BHgoRMGrY6b-Wi+Yg_at_mail.gmail.com>

Anyone out there have an automatic way for users to have their account unlocked and passwords reset?

My thoughts are to use a generic account, something like "PWD_RESET" which can call a procedure which will do something like the following

# Assume there is already a table with user/email reference...

# User logs into pwd_reset account.
# User runs exec password_reset('MYUSER_NAME');
# Email with "pin" is sent to email on file.
# User runs exec password_pin(PIN); , this returns the temporary pwd.
# User logs in with temporary pass

Of course the account reset, emails and stuff all happen in background. Whole thing will be disabled if pin is wrong more than N times in a row in case of some sort of guess attack. Will watch for any type of SQL injection possibilities. Everything is logged and admins are emailed about the reset. PWD_RESET account will only have access to the stated procedures.

Anyone doing anything like this? Anyone see any obvious security holes in this approach? I have the API's in place to make this pretty easy to implement from a coding standpoint.

Thanks,
Ethan Post

--
http://www.freelists.org/webpage/oracle-l

Received on Wed Sep 16 2015 - 16:26:24 CEST

This message: [ Message body ]
Next message: Stefan Knecht: "Re: Refcursor intermittently returns no rows when it should"
Previous message: vijay sehgal: "Re: Refcursor intermittently returns no rows when it should"
Next in thread: Sheehan, Jeremy: "RE: Automatic Password Reset"
Reply: Sheehan, Jeremy: "RE: Automatic Password Reset"
Maybe reply: Ethan Post: "Re: Automatic Password Reset"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message