Anope IRC Services

Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: [1]   Go Down

Author Topic: [req] Sending NEW Password by eMail  (Read 7593 times)

0 Members and 1 Guest are viewing this topic.

SNU

  • Anope User
  • Offline Offline
  • Posts: 158
    • http://www.firstclassirc.com
[req] Sending NEW Password by eMail
« on: March 02, 2007, 04:34:30 PM »

Hi.
I started Requesting it in che IRC-chan but I think here is the better Platform.

I would like to make it possible, that my irc-users can request a new Password if they lost their one.
The Problem is, that I use "EncModule 'enc_old' " so Sendpass wont work. But I think with an additional Module "ns_newpass" :D it could also be possible.

How the Module should act for users:
It should act in two ways because otherwise it might be used abusively:
If a user types /ns newpass my@email.com
Anope sends by the sendmail-command (specified in the services.conf) an eMail with an crypted activation-command like "Type '/ns confirmnewpass 340378c(F("4hdjkp93ß58' to send you the new password. Remember: After that, your old Password will be lost!". Then the new password will be sent.

I think this must happen in this two ways, because for one account cant exist two passwords. If it would send suddenly the new password per eMail also anope-services must change the users password. But if its just a jokingly user who wants to harm another one, its not qiet a friendly solution... so with the first "/ns newpass" a temporary passwordfile for the user will be created (maybe in a seperate .db like in hs_request) and if the user does not use the password-activation-command in the specified time (this might be configurable or hardcoded to 24h I think) the temporary file will be deleted. If the activationcode is used nickserv might do saset password nick...

To prevent abusive usage users should hide their eMailadress. Maybe the admin sets it to default on reg.

What do you think might it be possible? I think this would be very nice :D
Logged

katsklaw

  • Guest
(No subject)
« Reply #1 on: March 02, 2007, 05:13:18 PM »

This has already been requested and to date has yet to be written. I'd also like to point out that Services Admins can set users passwords with the SASET command and is arguably more secure.

A Quick step-by-step:

1> user needs password set.
2> oper asks user for their current email address in their NS account (users cant see email addesses unless the user allows it.)
3> IF the email address matches, oper sends an non-related test message to the email NS has on file.
4> Oper asks user to check their email and paste the contents in PM. (email should be very short and contain nothing about re-setting a password. Something random like: "Hi bob, how is Joe?")
5> It's safe to assume that the user is authenticly the right user because of the improbablability of an imposter having email access to the user in question. Oper then re-sets the password to something random and relays it to the user OVER IRC NOT EMAIL!!!
6> User enjoys life.

One could argue about additional staff workload, those that complain should not be opers, IRCops are there to maintain the network first and foremost. However, on a personal note, handling users requests is part of their job .. if they don't want to do their job, then they dont need to be an IRCop. Not to mention that 99% of the nets I have visited in the last 3 years have had like 1 oper per 5 users or more. this is more than enough staff to cover any workload. Lets also keep in mind that users don't loose their password often.

As an example: I was a Services Admin on DALnet when it had more than 100,000 users .. in 18 months I've recovered at most 10 passwords. Almost all networks are FAR smaller than that.
Logged

SNU

  • Anope User
  • Offline Offline
  • Posts: 158
    • http://www.firstclassirc.com
(No subject)
« Reply #2 on: March 02, 2007, 05:50:44 PM »

Of course, you're right.
But if /ns sendpass exists, also /ns "newpass" could exist. And the last one would work also with crypted databases.
Logged

Jobe

  • Contributor
  • *
  • Offline Offline
  • Gender: Male
  • Posts: 1023
    • Anope IRC Services
(No subject)
« Reply #3 on: March 02, 2007, 06:19:06 PM »

/ns newpass could work in a similar way to the email validation does in that it sends a confirmation code in an email to the nick's email address.

And ONLY when that confirmation code is inputed is the password reset and returned to the user on IRC.
Logged
Your IP: ()
My IRC Status:

Come along and visit http://www.anopequotes.org/

Gabriel Acevedo

  • Anope User
  • Offline Offline
  • Gender: Male
  • Posts: 102
    • http://faltanideas.com/
(No subject)
« Reply #4 on: August 24, 2007, 05:35:29 AM »

I wrote a module which could be useful for you.

http://modules.anope.org/viewmod.php?id=108
Logged

SNU

  • Anope User
  • Offline Offline
  • Posts: 158
    • http://www.firstclassirc.com
(No subject)
« Reply #5 on: August 24, 2007, 11:39:55 PM »

Thank you. I switched to this topic because this here is on a better place I think :D

now im using you 1.1.0 version and found another small bug :D

"RestrictReset" is always enabled. also leaving it commented tells the non.opers on /ns resetpass <nick> "permission denied".

Sorry. if I could I would fix it. but im not that coder.

But your fix from 1.0.0 to 1.1.0 works. password is sent.
thank you very much so far.

btw: Could this be used to switch to a new/other encryption algorithm? so may I change EncModule "enc_old" to EncModule "enc_md5" restart anope and tell every ppl to reset their passwords and the database will get "updated" to the new encryptionalgo? Okay it is a bit nasty for the users to force them to reset their passwords, but blending out hat case. would it be possible in that way?
Logged

Jan Milants

  • Team
  • *
  • Offline Offline
  • Gender: Male
  • Posts: 1372
(No subject)
« Reply #6 on: August 25, 2007, 12:37:48 AM »

Quote
Originally posted by SNU
btw: Could this be used to switch to a new/other encryption algorithm? so may I change EncModule "enc_old" to EncModule "enc_md5" restart anope and tell every ppl to reset their passwords..

very user unfriendly wouldn't you think ?
why is it that important to switch anyways since the enc_old is only used in the background.. users don't even notice it s a faulty md5...
but still, i d wait for a more userfriendly solution..
Logged
If you like me donate coins to 1FBmZVT4J8WAUMHKqpWhgNVj3XXnRN1cCk :)

Gabriel Acevedo

  • Anope User
  • Offline Offline
  • Gender: Male
  • Posts: 102
    • http://faltanideas.com/
(No subject)
« Reply #7 on: August 25, 2007, 04:06:25 AM »

Quote
Originally posted by SNU
now im using you 1.1.0 version and found another small bug :D

"RestrictReset" is always enabled. also leaving it commented tells the non.opers on /ns resetpass <nick> "permission denied".


Thanks for reporting.
 Wi'll fix that soon.
Logged

Gabriel Acevedo

  • Anope User
  • Offline Offline
  • Gender: Male
  • Posts: 102
    • http://faltanideas.com/
(No subject)
« Reply #8 on: August 25, 2007, 04:49:41 AM »

Please upgrade to release 1.1.1

Fixed bugs
  • I forgot to add an event for configuration reloading.
  • RestricReset was always defined due to a wrong behavior in configuration loading.

[Edited on 24-8-2007 by DrStein]
Logged

SNU

  • Anope User
  • Offline Offline
  • Posts: 158
    • http://www.firstclassirc.com
(No subject)
« Reply #9 on: August 25, 2007, 07:54:55 AM »

Quote
Viper
very user unfriendly wouldn't you think ? [...]
but still, i d wait for a more userfriendly solution..


Yes sure. You are  right. its not very cluefull. But I jist asked if it would be possible "in theory".


and thanks drstein, wil try it out laters..

[Bearbeitet am 25-8-2007 von SNU]
Logged

Jobe

  • Contributor
  • *
  • Offline Offline
  • Gender: Male
  • Posts: 1023
    • Anope IRC Services
(No subject)
« Reply #10 on: August 26, 2007, 09:42:25 PM »

Quote
Originally posted by DrStein
Please upgrade to release 1.1.1

Fixed bugs
  • I forgot to add an event for configuration reloading.
  • RestricReset was always defined due to a wrong behavior in configuration loading.


[Edited on 24-8-2007 by DrStein]


Could probably do with some feature to prevent the resendcode command being abused to flood inboxes.

Maybe even requiring you to include the email address for verification that you are the nicks owner.

Eg: /ns resetpass NICK EMAIL

And then the email is checked against the NickServ data for that nick to make sure its correct before sending the reset.
Logged
Your IP: ()
My IRC Status:

Come along and visit http://www.anopequotes.org/
Pages: [1]   Go Up