25 Jan
2016
25 Jan
'16
2:22 p.m.
Hi
is there a way for the user that created portal password to reset or remind it in case
they forgot it ? otherwise it'd have to be changed statically or user deleted and
re-created?
Thanks
--------------------------------
Email Confidentiality Notice: The information contained in this transmission is
confidential, proprietary or privileged and may be subject to protection under the law,
including the Health Insurance Portability and Accountability Act (HIPAA). The message is
intended for the sole use of the individual or entity to whom it is addressed. If you are
not the intended recipient, you are notified that any use, distribution or copying of the
message is strictly prohibited and may subject you to criminal or civil penalties. If you
received this transmission in error, please contact the sender immediately by replying to
this email and delete the material from any computer.
--
This message has been scanned by E.F.A. Project and is believed to be clean.
27 Jan
27 Jan
4:11 p.m.
On 25-01-16 15:22, Dominik Myslinski wrote:
is there a way for the user that created portal
password to reset or
remind it in case they forgot it ? otherwise it'd have to be changed
statically or user deleted and re-created?
That is currently not supported. Security wise it's better to have a
person reset the password because with a forgot password option, there
is more room for an attacker to intercept the password. That said, we
might add this feature to upcoming releases.
About resetting the password, if you are using the OTP mode, the best is
to clear the users portal password. The next encrypted mail will then
allow the user to setup a new password for the his/her account. The
previous messages can still be read because the "Client secret" is still
the same. If you delete the complete user, a new "Client secret" will be
created for the user. The passwords for the old PDF encrypted messages
(with OTP mode) can then no longer be retrieved because they were
created using a different "Client secret".
Kind regards,
Martijn Brinkers
--
CipherMail email encryption
Email encryption with support for S/MIME, OpenPGP, PDF encryption and
secure webmail pull.
https://www.ciphermail.com
Twitter: http://twitter.com/CipherMail
5:18 p.m.
Thanks for the detailed explanation Martijn. I'm glad you are considering this option
in the future releases as no admin intervention in password reset would be helpful.
dom
-----Original Message-----
From: users-bounces(a)lists.djigzo.com [mailto:users-bounces@lists.djigzo.com] On Behalf Of
martijn
Sent: Wednesday, January 27, 2016 11:11 AM
To: users(a)lists.djigzo.com
Subject: Re: [Djigzo users] otp portal password retrieval
On 25-01-16 15:22, Dominik Myslinski wrote:
is there a way for the user that created portal
password to reset or
remind it in case they forgot it ? otherwise it'd have to be changed
statically or user deleted and re-created?
That is currently not supported. Security wise it's better to have a person reset the
password because with a forgot password option, there is more room for an attacker to
intercept the password. That said, we might add this feature to upcoming releases.
About resetting the password, if you are using the OTP mode, the best is to clear the
users portal password. The next encrypted mail will then allow the user to setup a new
password for the his/her account. The previous messages can still be read because the
"Client secret" is still the same. If you delete the complete user, a new
"Client secret" will be created for the user. The passwords for the old PDF
encrypted messages (with OTP mode) can then no longer be retrieved because they were
created using a different "Client secret".
Kind regards,
Martijn Brinkers
--
CipherMail email encryption
Email encryption with support for S/MIME, OpenPGP, PDF encryption and secure webmail
pull.
https://www.ciphermail.com
Twitter: http://twitter.com/CipherMail
_______________________________________________
Users mailing list
Users(a)lists.djigzo.com
https://lists.djigzo.com/lists/listinfo/users
Email Confidentiality Notice: The information contained in this transmission is
confidential, proprietary or privileged and may be subject to protection under the law,
including the Health Insurance Portability and Accountability Act (HIPAA). The message is
intended for the sole use of the individual or entity to whom it is addressed. If you are
not the intended recipient, you are notified that any use, distribution or copying of the
message is strictly prohibited and may subject you to criminal or civil penalties. If you
received this transmission in error, please contact the sender immediately by replying to
this email and delete the material from any computer.
2136
days inactive
2138
days old
2 comments
2 participants
participants (2)
-
Dominik Myslinski -
martijn