[keycloak-dev] Cleanup of 'Change password' screen in Account app
Thomas Raehalme
thomas.raehalme at aitiofinland.com
Fri Nov 27 05:05:43 EST 2015
Hi!
On Fri, Nov 27, 2015 at 11:23 AM, Vlastimil Elias <velias at redhat.com> wrote:
> 2. remove validation of current password (remove "Password" field). Two
> reasons for this:
> - security impact of this check is small. If attacker is able to
> compromise Account app then he can always change email and then use
> "Forgot password" feature to change password
> - user created over Identity Provider do not know old password
> (because it is not set) so he is not able to set password using this screen
> After we implement support for reauthentication (KEYCLOAK-2076) then we
> should set some reasonable reauth timeout for Account app instead, this
> will make it more secure at all.
>
Wouldn't it make more sense to add password validation when changing email?
Best regards,
Thomas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20151127/380a0a5c/attachment.html
More information about the keycloak-dev
mailing list