I am thinking on how to implement a email change function in light of the worst case scenario and how to revert it if it was malicious.
In light of people choosing the easiest possible password that I let them choose, I have to deal with a hacked account or a collegue using the logged in account to change the email just for fun.
If I change a customers email, I have to deal with the possibility that I am handing over his account to someone else.
My approach is the following:
- I ask for the password again when the Email is changed
- I create 2 Emails one to the old address one to the new. Both inlcude a different hash. The one to the new is obvious as it is used for validation. The one to the old includes 2 Links, one to finalize the change and one to deny the change in case of a malicious change request.
I change the emailadress on validation but I keep the possibility to reverse it if the user e.g. comes back from vacation and notices the problem.
Is this enough precaution or do I need more? I might be totally paranoid about this but I can think of a couple of scenarios where I might think that an automated email change system might be completely a bad idea ...
How to implement an Email Change Function?
Moderator: General Moderators
- social_experiment
- DevNet Master
- Posts: 2793
- Joined: Sun Feb 15, 2009 11:08 am
- Location: .za
Re: How to implement an Email Change Function?
To ask the password for changing the email address is a good idea; a correct combination of both doesn't always indicate the owner of the account. I'm not so sure about sending a validation email to the new address; it feels to me like a bit of overkill;
If the correct password is provided; for both login and the request to update information, you can only assume the user is the valid owner of the account. A user also has an obligation to keep sensitive information secure.
If the correct password is provided; for both login and the request to update information, you can only assume the user is the valid owner of the account. A user also has an obligation to keep sensitive information secure.
You should force a format for the passwords here (if you don't already); at least 8 characters in length and those characters be a mix of alpha numeric characters and non-word characters; generate passwords if you must.AGISB wrote:In light of people choosing the easiest possible password that I let them choose
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
Re: How to implement an Email Change Function?
The validation email to the new account is just to make sure the email is correct, as my application requires a valid email so I can contact the user.
My problem was that I used the email adress as username as well but I changed this so most of the problems I had with changing the mail are gone now
My problem was that I used the email adress as username as well but I changed this so most of the problems I had with changing the mail are gone now
- Jonah Bron
- DevNet Master
- Posts: 2764
- Joined: Thu Mar 15, 2007 6:28 pm
- Location: Redding, California
Re: How to implement an Email Change Function?
It seems to me like that's the user's problem, not yours. However, there is a security problem with not confirming it. A malicious user could conceivably create an account under an email, change it to a non-existant email, and then register again with the first email. Using this method the person could create as many accounts as they like with only one valid email address. A good way to circumvent that would be to put a hold on the email for say, 36 hours, before allowing any particular email to be re-registered.AGISB wrote:The validation email to the new account is just to make sure the email is correct, as my application requires a valid email so I can contact the user.
Overall, I don't think you need to be too worried about it, most sites are pretty lax in dealing with changing emails, I find, and there's not too much trouble.