otp portal password retrieval

Hi

is there a way for the user that created portal password to reset or remind it in case they forgot it ? otherwise it'd have to be changed statically or user deleted and re-created?

Thanks

···

--------------------------------
Email Confidentiality Notice: The information contained in this transmission is confidential, proprietary or privileged and may be subject to protection under the law, including the Health Insurance Portability and Accountability Act (HIPAA). The message is intended for the sole use of the individual or entity to whom it is addressed. If you are not the intended recipient, you are notified that any use, distribution or copying of the message is strictly prohibited and may subject you to criminal or civil penalties. If you received this transmission in error, please contact the sender immediately by replying to this email and delete the material from any computer.

--
This message has been scanned by E.F.A. Project and is believed to be clean.

That is currently not supported. Security wise it's better to have a
person reset the password because with a forgot password option, there
is more room for an attacker to intercept the password. That said, we
might add this feature to upcoming releases.

About resetting the password, if you are using the OTP mode, the best is
to clear the users portal password. The next encrypted mail will then
allow the user to setup a new password for the his/her account. The
previous messages can still be read because the "Client secret" is still
the same. If you delete the complete user, a new "Client secret" will be
created for the user. The passwords for the old PDF encrypted messages
(with OTP mode) can then no longer be retrieved because they were
created using a different "Client secret".

Kind regards,

Martijn Brinkers

···

On 25-01-16 15:22, Dominik Myslinski wrote:

is there a way for the user that created portal password to reset or
remind it in case they forgot it ? otherwise it'd have to be changed
statically or user deleted and re-created?

--
CipherMail email encryption

Email encryption with support for S/MIME, OpenPGP, PDF encryption and
secure webmail pull.

Twitter: http://twitter.com/CipherMail

Thanks for the detailed explanation Martijn. I'm glad you are considering this option in the future releases as no admin intervention in password reset would be helpful.

dom

···

-----Original Message-----
From: users-bounces(a)lists.djigzo.com [mailto:users-bounces(a)lists.djigzo.com] On Behalf Of martijn
Sent: Wednesday, January 27, 2016 11:11 AM
To: users(a)lists.djigzo.com
Subject: Re: otp portal password retrieval

On 25-01-16 15:22, Dominik Myslinski wrote:

is there a way for the user that created portal password to reset or
remind it in case they forgot it ? otherwise it'd have to be changed
statically or user deleted and re-created?

That is currently not supported. Security wise it's better to have a person reset the password because with a forgot password option, there is more room for an attacker to intercept the password. That said, we might add this feature to upcoming releases.

About resetting the password, if you are using the OTP mode, the best is to clear the users portal password. The next encrypted mail will then allow the user to setup a new password for the his/her account. The previous messages can still be read because the "Client secret" is still the same. If you delete the complete user, a new "Client secret" will be created for the user. The passwords for the old PDF encrypted messages (with OTP mode) can then no longer be retrieved because they were created using a different "Client secret".

Kind regards,

Martijn Brinkers

--
CipherMail email encryption

Email encryption with support for S/MIME, OpenPGP, PDF encryption and secure webmail pull.

Twitter: http://twitter.com/CipherMail

_______________________________________________
Users mailing list
Users(a)lists.djigzo.com
https://lists.djigzo.com/lists/listinfo/users

Email Confidentiality Notice: The information contained in this transmission is confidential, proprietary or privileged and may be subject to protection under the law, including the Health Insurance Portability and Accountability Act (HIPAA). The message is intended for the sole use of the individual or entity to whom it is addressed. If you are not the intended recipient, you are notified that any use, distribution or copying of the message is strictly prohibited and may subject you to criminal or civil penalties. If you received this transmission in error, please contact the sender immediately by replying to this email and delete the material from any computer.