U4-9898 - Reset password should unlock a locked account

Created by Nigel Morris 10 May 2017, 16:29:20 Updated by Shannon Deminick 24 May 2017, 06:11:54

Subtask of: U4-9609

Your report will have a greater chance of being addressed if you can give us clear steps to reproduce the issue, please answer the following questions in as much detail as possible: What did you do?

Update from 7.5.13 to 7.6.0 Password no longer accepted Requested new password

Email received but the link does not reset password

What did you expect to happen? Go to a reset password page

What actually happened? Returns to the login page

1 Attachments

Comments

Nigel Morris 11 May 2017, 08:12:25

I imagine the password is not accepted if the current password is less than 10 characters as the minRequiredPasswordLength is now 10 (although this should only be enforced on new and updating passwords) Also the field umbracoUser > userNoConsole is set to True after requesting the password so emails not longer work for that user. Will test again but assume its related to "enablePasswordRetrieval" in the web.config

UmbracoMembershipProvider > enablePasswordRetrieval="false" minRequiredPasswordLength="8" useLegacyEncoding="true" & UsersMembershipProvider > enablePasswordRetrieval="false" minRequiredPasswordLength="8" useLegacyEncoding="true"


Sebastiaan Janssen 15 May 2017, 20:47:18

Seems to work fine here, see screenshot.

I think it is just that you were already locked out when you requested a password reset. Unfortunately we don't unlock when a password reset is requested as this would defeat the purpose of locking someone out:

  • Try a password
  • Doesn't work
  • Try another password
  • Doesn't work
  • Do this 5 times
  • User gets locked out
  • Attacker knows this so requests a password reset
  • If we were to unlock the account when a password reset is requested, the attacker gets 5 more tries

However, I'm pretty sure it would be okay to unlock the account ones the account owner clicks the link and actually provides an updated password.


Jeffrey Schoemaker 18 May 2017, 07:17:41

Hi @sebastiaan and @Nigel.Morris,

some thoughts from my side...

if an user is already locked out and requests a "reset password"-mail the mail should be sent to the user regardless of his locked-out-status. If the user is an honest user and can access the emailaddress of the specificied user it should be possible to click on the link and resets his password (no matter if he is locked in or locked out).

Once he has specified his new password his account should be unlocked at that moment (and not when sending the forgotten password mail).

The risk of unlocking an account when resetting his password at this moment is minimal in my opinion because the user has to be able to access the emailaddress of the user and if that's possible than the lockout-treshold isn't the biggest problem he has.

This is then also a way to unlock your account :)

Jeffrey


Sebastiaan Janssen 19 May 2017, 08:30:25

Yup, makes sense, thanks for the feedback!


Sebastiaan Janssen 20 May 2017, 12:37:21

PR: https://github.com/umbraco/Umbraco-CMS/pull/1956


Shannon Deminick 24 May 2017, 06:11:49

confirmed, all working :)


Priority: Normal

Type: Bug

State: Fixed

Assignee:

Difficulty: Normal

Category:

Backwards Compatible: True

Fix Submitted:

Affected versions: 7.6.0, 7.6.1

Due in version: 7.6.2

Sprint:

Story Points:

Cycle: 1