Anyone out there have an automatic way for users to have their account
unlocked and passwords reset?
My thoughts are to use a generic account, something like "PWD_RESET" which
can call a procedure which will do something like the following
# Assume there is already a table with user/email reference...
# User logs into pwd_reset account.
# User runs exec password_reset('MYUSER_NAME');
# Email with "pin" is sent to email on file.
# User runs exec password_pin(PIN); , this returns the temporary pwd.
# User logs in with temporary pass
Of course the account reset, emails and stuff all happen in background.
Whole thing will be disabled if pin is wrong more than N times in a row in
case of some sort of guess attack. Will watch for any type of SQL injection
possibilities. Everything is logged and admins are emailed about the reset.
PWD_RESET account will only have access to the stated procedures.
Anyone doing anything like this? Anyone see any obvious security holes in
this approach? I have the API's in place to make this pretty easy to
implement from a coding standpoint.
Thanks,
Ethan Post
