Is it possible to log the wrong passwords entered in the Change User login form?
(So actually one or more users are logged in, and the change user form is shown by pressing Win+L, or by using the Start Menu.)
No it is not possible since password attempts aren't stored neither hashed nor in plain text.
Related
I have created an apex application and I have some end users which should log in to the application and use it, I realized that there is not any change password or reset password option for end users !!!
How can I add it to login page ??
I have done that based on this link, but the problem is when any username is not entered, it goes to the change password page and after presseing the change password button an internal error box appears !
https://apex-de.blogspot.com/2017/11/change-apexuser-password-for-end-users.html
That page in the blog does not mention a username. And it shouldn't because a user should only be able to set/change a password for himself. Usually there are 2 ways to change a password, both can be implemented together:
A form that is accessible to any user that is logged in. That way you're sure that the password is changed for the actual user.
A link on the home page that points to a public form in which the user can enter his email address that is linked to his account. When the form is submitted the user gets an email with a link that contains a unique code that is linked to his email and only valid for x minutes. The email verification is needed to ensure the user that wants to change the password is who he says he is. Clicking on the link allows the user change the password. At no point the password is displayed to the user or emailed to the user.
Both of those can be implemented in apex - the api to change a users password is APEX_UTIL.CHANGE_CURRENT_USER_PW as mentioned in the blog.
The reason that by default there is no password management is that the authentication scheme "Application Express users" is rarely used for production applications. Usually it's social sign in, LDAP, SSO or SAML and "Application Express users" is only there for development purposes.
Im using Django Allauth and have a number of questions.
(a) When a user registers they are instantly logged in and a confirmation email is sent to their inbox. I am wondering if this is best practice? Should the user instead be signed out after registration and only allowed to sign in using the link in their email?
I am also wondering about password change. The password change functionality that comes with Allauth simply asks the user to enter their old password then enter a new one twice. My two questions for this are (b) is this good practice or should I make my users request a new password via email, and (c) should I force logout my users after a password change and make them login using their new credentials?
(d) And lastly, if a user has forgotten their password they can request a new one sent to them via email. I could imagine this could easily be abused as you do not need to be signed in to do this (a person or bot continually enter a users email address sending them thousands of password reset links). Is there a way to add a limit on a persons email address so the one user can only be sent maybe 2 password reset links per day?
I would appreciate answers to any of these questions and greatly appreciate any elaboration on how to do any of this as I am new to Django and really dont know where to begin if I am to make these changes.
Thank you very much.
It all depends on what you want to do, if your site is gonna manage a lot privacy data, then the story would be completely different. Assuming that it is true.
A) Best practice would be to be able to log in right away but they have restriction until they confirm the email.
B)Always request password change via Email using generated url.
C)You should not keep the user logged in with the old password, either log it out or automatic re login.
D)This is probably the most important here. There is a lot of way to prevent such abuse, tho they are not 100% effective but it is very effective, here is the thing: 1) if your way to recover password is by email, you can KEEP THE EMAIL PRIVATE, no one can see it, and what do you think the odds are to type a random email and matches the one on your database ? 2) Use popular antibots like Google's Recaptcha. 3) Set a limit of attempts on a limited range of time.
I am using Apex 18.2.
I have created a report with a form for displaying and entering employees data. Employees can set their own usernames and passwords. My problem is that When I try to create a new employee or edit one that did not have a username and a password set before. The browser populates those two fields with some values. I think with the last entered username and password in the browser. I can not guarantee that users would refuse the browser's offering to save passwords. And if they do not then the next one tries to create a new employee will get the previous password entered. And I think that handling it using JavaScript through emptying the items, for example is not a good idea because the client-side can always be manipulated. I want to control it through the app not the browser. Or maybe better, control the browser through the app and prevent it from saving passwords for the app. Is there a way to do so?
Here is a sample:
https://apex.oracle.com
ws = ESLAM_WS
user = forhelp
pwd = forhelppwd
app = TEST
page = 14 and 15.
If it's the browser's offering to save the password you're trying to avoid, there are existing discussions on this
How to prevent a browser from storing password
You APEX form seems to behave as expected.
And you should not be saving passwords in clear text. Hash your data.
Is there a way to use django's inbuilt password reset function without sending reset links via email or without the email option. I am currently developing a simple system with a few number of users on which sending emails are not needed.Thanks in advance
There are some options in django.contrib.auth that allows you to change the password without needing to send an email:
PasswordChangeForm: A form that lets a user change their password by entering their old password.
SetPasswordForm: A form that lets a user change set their password without entering the old password
You can implement one of them in your view to change the users password.
You can change password with forms and in the views.py use the function
make_password()
if passwordForm.is_valid():
password = passwordForm.cleaned_data['password']
request.user.password = make_password(password)
request.user.save()
[make_password][1]https://docs.djangoproject.com/en/1.11/topics/auth/passwords/
I'm not familiar with django but I've worked on other apps before where access was gained for any user, even the initial admin, via password reset. In all those cases the method of working has been similar - the reset link is formed from some URL stub plus a unique key that is found in some database table somewhere. Manually assembling the link and using it worked out just fine, though one system used an emailsentdate column and refused to do anything unless it was populated , so check for anything similar if you don't get success with a simple approach
If you absolutely have to have an email server, there do exist simple ones intended for dev use like smtpdev, they behave like an smtp server to fool an app that demands one, but they don't send the emails onto anywhere, they just display them. Intended for debugging but might help you if django insists on one being configured that looks like a real mail server
In the Django tutorial, I'm at the part that says "You'll see a message for each database table it creates, and you'll get a prompt asking you if you'd like to create a superuser account for the authentication system. Go ahead and do that." I'm using Django 1.2.3.
In case it's relevant, I'm using SQLite, and in the settings file under mysite, I didn't set a password because you're supposed to leave it blank for SQLite. But right now I'm setting up the superuser account in the command line and it's demanding that I set a password. And it won't let me type.
So I leave it blank, and hit enter (which does work), and it asks me to confirm my password. I hit enter again. And it tells me, "Error: Your passwords didn't match."
Is there a reason it won't let me enter any text? Is there a way to get around this? This is just a development server, so I'm OK if the solution involves not setting a password at all, but it's not letting me do that either.
OK, so I know I have to enter something non-empty. The problem is, the command line is literally not letting me type there. I hit keys and the little blinking underscore doesn't move. All it will allow me to do is hit enter while it's still blank, but then the empty passwords don't match. I want to know why it's not letting me type.
You are not suppose to see the password you are typing. Just type your password, repeat exactly same password when prompted and you should be ok.
The Django superuser password is independent of the password used to authenticate with the database server. The reason it won't let you set a non-blank password is because it's a security risk; Django doesn't care that your app will never see public use.
The password for the authentication module is separate from your database. You'll have to set a non-blank password for the superuser.