RidgeStar
About
Locations
Manual
Preface
Introduction
Versions
Concepts
Construction
Usage
Operations
Questions
Features
Accounting
Anchor
Audit
BulkLoad
BulkMail
Conflicts
Directory
Finances
Fragments
iCalendar
KeySearch
Locations
Mail
MessageHelp
Method
Multiple
Options
PageText
PasswordReset
Passwords
Photos
SelfAssign
Shortcuts
Reminder
Responsive
SSL
Topics
Turnback
UID
WSYSARMA
Settings
Internals
Appendices
Reference
Service
Logon
RidgeStar

Manual: Features-PasswordReset

Logontranslate
Get Started |Calendar |Locations

Passwords can be stored in the Users table in an unintelligible format (Feature=SecurePasswordsFeature). This means that Passwords are NOT stored as normal characters/letters that a human can visually recognize. This also means that the site itself cannot actually "read" a stored password. As a result, the site cannot tell the User what the value of a "forgotten password" is (when SecurePasswords is in effect, the password is stored as the result of a one way encryption process).

The Reset Password mechanism provides a technique to permit a User to reset his/her own Password without Administrator intervention (see the Welcome action for a Reset Password action with Administrator involvement).

The RidgeStar standard Reset Password mechanisms come in two forms:

  1. Reset Password using Email
  2. Reset Password without using Email

1. Reset Password using Email

User forgets his/her Password or never knew it
Whenever the User cannot get logged on because s/he has forgotten his/her password or simply doesn't have it yet, s/he clicks to Logon: Reset Password to reset the password. The Site will prompt the User for his SiteName and one of the Email addresses on file that is associated with the SiteName.

SiteName and Email properly match
Once the Visitor has successfully specified an appropriate SiteName and Email address combination, the site will reset the password to a random string and then Email the User at the specified Email address a URL string that, when clicked, will permit the User to return to the site and select a new Password.
PROs
  • Simple, easy to use
  • Can be utilized for a User that has never logged onto the site before
CONs
  • Not very secure (Users are susceptible to their SiteName being Reset when unwanted)
  • Uses Email to transmit the Reset URL string (thus, susceptible to non-delivery problems)

2. Reset Password without using Email

User responds to a series of personal questions
After initial logon or whenever the User would prefer, s/he clicks to Services: Profile-Questions and completes a questionaire of Administrator defined questions about his/her personal circumstances. These Password Reset responses are stored in the User's profile in the database for subsequent use (if necessary).
User forgets his/her Password
Whenever the User cannot get logged on because s/he has forgotten his/her password, s/he clicks to Logon: Reset Password to reset the password. This must be from a system that has previously been used to successfully logon as the User (if Setting=Password ResetCookie=1). If everything seems ok, the Site will:

  1. randomly select a few questions from the previously completed questionaire and present them to the User
  2. select a subset of the responses to the individual questions for presenting in a pulldown format
  3. the individual User's actual response may or MAY NOT be present in the pulldown (if not present, the User will have to select "None of these")

The User desiring to Reset Password must select the appropriate responses and click "Reset Password". If the responses do not match, an error message is issued and the Site will respond with a different set of questions.

The Responses properly match
If the responses do properly match, the Reset Password function will:
  1. present the "Set a new Password" page (see Feature=PasswordStrengthFeature)
  2. accepts a new Password (with verification) that matches the Site's Password requirements
  3. saves the new Password in the User's profile and immediately logs the User on
PROs
  • Eliminates use of unsecured Email to transmit Password related activity
  • Provides a more secure, yet simple way to reset a password for experienced Users of the site
Cons
  • Is somewhat complicated to structure and set up
  • Mandates that a series of generic questions be defined
  • Requires every User to complete a series of personal questions before Reset Password can be used (thus, cannot be used for "first time" Users)