31 Jul 2014

feedPlanet Identity

Katasoft: The Pain of Password Reset in Express

Node.js and Stormpath Rule

I've built many Express applications recently, and it's reminded me of the pains of building password reset functionality since there are many Express tools for handling it. Building password reset is a drag for most developers, every application needs it, and getting it wrong can have a major impact on your application. This post is an effort to reduce the pain of building password reset for other node developers by first describing the systems you're going to need and then offering a recommended workflow for password reset.

Systems Needed for Password Reset

For starters, Express requires you to build out a proper user system. Your first reaction would be to use Passport, but you'll quickly find that Passport does not store accounts - you still have to do that yourself. Passport is good for adding authentication strategies (like Facebook vs username/password) if you already have a user management system in place. So, get coding.

With a user system in place, you start to build password reset. First, you need several additional routes for the pages in the password reset flow, and to include input validation and CSRF protection for your forms.

Then you're going to need an email component to send the user their secure URLs and tokens. If you don't already have email built into your application, you might want to use an email service like Sendgrid or Mailgun. Next, email templates for each part of the reset process.

Almost there. You now need to get those reset tokens working. First, you need the logic to create unique tokens for each reset attempt and expire them within a certain time frame and on first use. That will include an additional table to store the tokens and their expiration metadata. Then build the logic in your code to authenticate and verify those tokens before a reset can be completed.

All in all, it's dozens of hours of work (possibly more) you would probably rather spend on core application business logic.

And while it's not rocket science, hand-rolled password reset workflows can be error prone and those errors directly translate to vulnerabilities in your application - user accounts can be hijacked. Since password reset is not core to most applications, these types of vulnerabilities are often not discovered until they actually get exploited.

So, let's talk about how to build it the right way.

Password Reset Workflows - The Right Way

Over the years I've used numerous password reset systems, and there is really only one good way to handle password reset functionality in your web applications.

Here's how we recommend you do it:

  1. On your login page, there should be an obvious "Forgot your password?" link. Otherwise you'll confuse users and increase either support tickets or abandonment.

  2. When a user gets to your password reset page, and enter their email address. You may want to ask for a second factor to identify the user at this stage or a later stage.

  3. After the user has entered their email address, send them an email with a link to the password reset page on your site. This link should contain a unique password reset token that expires after a certain amount of time and one first use. If your token isn't unique, doesn't expire - you've got a very real vulnerability on your hands.

  4. After you've sent the user an email, give them a message telling them what to do! Tell the user you sent them an email, and tell them to check their inbox. If you immediately redirect them somewhere else, they'll be confused!

  5. After the user clicks the link in their email, they should be brought to a page on your site that prompts them to enter a new password. Ensure you make the user enter their new password twice so they don't forget what they just typed. Make sure you validate their token before proceeding! If the token isn't valid, you should display an error message and instructions on how to proceed.

  6. Once the user has reset their password, give them a confirmation message to eliminate confusion. "Your password has been reset" is typically good enough.

  7. Lastly, ensure you send the user an email once their password has been changed letting them know what happened. This will ensure the user knows what they did, and is a great auditing tool in the future. It's also an easy alert in the event the user didn't initiate the reset themselves.

If any of these steps is missing, you may confuse your users and open yourself up to security vulnerabilities.

Take the token, for instance. If this token isn't validated - that means anyone can reset one of your user's passwords - and that' isn't a good thing.

If your tokens don't expire after a short period of time (usually 24 hours), then you've got an issue. What if this user's email gets compromised in the near future? What if the token can be easily guessed?

And lastly, if your token isn't actually unique - you'll be in for some embarrassing work meetings. For instance, I've noticed that many sites set the password reset token to a guessable number! For instance, if you use an incrementing integer value (1, 2, 3, …), it's quite easy for attackers to guess at these numbers until they find a valid one.

NOTE: It's also worth mentioning explicitly that you should NEVER send your users an email containing their password. This means that you're more than likely storing your passwords in plain text (an awful idea), and exposes users to additional risk: what happens if someone looks over their shoulder as they read their email and sees their password? That doesn't just happen in movies.

Stormpath's Password Reset Workflow

The Stormpath API has always handle password reset for developers so you don't have to go through this pain. And we have a great ExpressJS integration. And I just added password reset to it, so you don't have to!

If you aren't familiar with Stormpath, we're API service you can use to deploy complete user management in your application - login, user profiles, password reset, Facebook integration, etc. And it's all under the hood, your end-users never know we exist.

Our popular express-stormpath library fully supports password reset. You can instantly add password reset into your ExpressJS web applications with a single line of configuration information:

app.use(stormpath.init(app, {
  enableForgotPassword: true,

After enabling the password reset functionality with the Stormpath middleware, a magical link will appear on your login page that allows users to start the password reset process.

Below are some screenshots that demonstrate what users will see with the baked-in views (100% customizable, of course):

If you'd like to check it out, give some feedback, or point out ways to improve the new Express integration, please take a look at the new password reset documentation and let me know what you think.

If any of you give express-stormpath a try, I'd love to hear from you, please drop me a line: randall@stormpath.com - or tweet us @gostormpath!

31 Jul 2014 3:00pm GMT

Gregorio Lella - Engiweb: Breaking News: IBM acquires CrossIdeas

IBM acquires CrossIdeas to Expand Security Offerings with Identity Intelligence


>> Today my mood is: <<


31 Jul 2014 1:19pm GMT

Kuppinger Cole: IBM to acquire CrossIdeas – further expanding its IAM/IAG portfolio

In Martin Kuppinger

A while ago I blogged about IBM being back as a leader in the IAM/IAG (Identity Access Management/Governance) market. Today the news that IBM is to acquire CrossIdeas, an Italian vendor in the Access Governance market, hit the wire.

CrossIdeas is a key player in Access Governance in its home market, but also had some recent success in other markets, both in Europe and the U.S. The company originally started in authorization and role management. Over time, CrossIdeas - formerly known as Engiweb Security before a management-buy-out - added further capabilities. At the center of their solution today is their activity-based approach on SoD (Segregation of Duties) which relies on activities within business processes to model SoD rules. This approach allows auditors and business departments creating and editing SoD rules without specific IT knowledge.

Aside of the strength in role mining/modeling and the SoD approach (which notably provides sophisticated support for SAP environments), CrossIdeas' product IDEAS also provides a well thought-out approach on access risk analysis and management. Furthermore, there are standard capabilities for Access Governance such as Access Recertification.

Furthermore, IDEAS provides a standard integration with IBM Security Identity Manager, which has been deployed at customers before.

From IBM's perspective, CrossIdeas and its IDEAS product add several important capabilities to the IBM portfolio. The strength in managing SoDs from a business perspective relying on business process knowledge is one of these. Access risk management is the other. Combined with the existing integration with IBM Security Identity Manager, IDEAS can provide immediate benefit to IBM. It fits well into IBM's strategy on IAM/IAG, enhancing IBM's offerings for "policy-based Identity and Access Analytics".

From KuppingerCole's perspective, IBM is further strengthening its position in the IAM/IAG market. Being "ready-to-use" based on the existing integration, we expect to see further integration at all levels - platform technology, user interfaces, etc. - into the IBM IAM/IAG portfolio quite soon.

My final paragraph of the other blog linked at the beginning has been:

I always appreciate strong competitors in a market - it helps drive innovation, which is good for the customers. The IBM investment in IAM is also a good indicator of the relevance of the market segment itself - IAM is one of the key elements for Information Security. IBM's strategy also aligns well with my view that IAM is just one part of what you need for Information Security. Integration beyond the core IAM capabilities is needed. So, in light of IBM's current news around IAM, I think it is worth having a closer look at them again.

Nothing to add to this.

Related KuppingerCole Research

Leadership Compass Access Governance

Executive View IBM Security QRadar

Leadership Compass Dynamic Authorization Management

Leadership Compass Identity Provisioning

Buyer's Guide Access Governance and Identity Provisioning

Advisory Note Access Governance Architectures

Executive View IBM Security Access Manager for Enterprise Single Sign-On

Product Report CrossIdeas IDEAS

31 Jul 2014 9:15am GMT

30 Jul 2014

feedPlanet Identity

Gluu: 17 Recommended Requirements for an Identity and Access Management POC

We get requests for POC's quite often. In an attempt to provide tactical guidance to organizations developing an identity and access management POC, the following are our top recommended criteria for evaluation. By adding some or all of these requirements to your POC, your organization can limit vendor lock-in and ensure that the solutions considered … Read more >>

30 Jul 2014 3:55pm GMT

Kuppinger Cole: Identity Managed Data Loss Prevention - sleep well at night

In KuppingerCole Podcasts

It's never been easier to control who has access to what, who authorised it, who's access hasn't been removed and to generate reports on it all. We'll look at the direction of technological and standards development and discuss the ramifications - what do you have to do to exploit the potential?

Watch online

30 Jul 2014 10:56am GMT

29 Jul 2014

feedPlanet Identity

Nishant Kaushik - Oracle: Identity Management Is A People Problem (But It Shouldn’t Be!)

Another Cloud Identity Summit has come and gone, and even though it only happens once a year, the effect of being at "the top event on the identity calendar" (as Stephen Wilson puts it) always lingers. You leave trying to process all the great content and ideas you got exposed to, thinking about the wonderful...

29 Jul 2014 8:37pm GMT

Courion: SOX Reporting Headache? Take One ComplianceCourier and Get a Clear View Into ‘Who Has Access to What’

Access Risk Management Blog | Courion

Brad FrostThe headache of Sarbanes-Oxley (SOX) reporting requirements is just about to get easier for Old Republic National Title Insurance Company, since the title insurer selected Courion ComplianceCourier™ for its access certification solution.

The public company, which has more than 4,000 employees, must comply with Sarbanes-Oxley (SOX) reporting requirements. And not unlike many companies we speak with, the IT department was finding the challenge of answering "who has access to what" was absorbing too much manpower and time. The manual data process of gathering user access information and compiling it into spreadsheets was also vulnerable to error.Old Republic

With ComplianceCourier, Old Republic will be able to centralize and automate the access control process, reducing the risk of unauthorized access. What's more, the access certification solution will allow the company to audit existing access by user, application, administrator, group, or workstation and meet SOX compliance requirements more easily. The efficiency of IT operations will be improved and as an added bonus, the active directory structure will be consolidated. To read more, click here.


29 Jul 2014 3:18pm GMT

Vittorio Bertocci - Microsoft: Protecting an MVC4 VS2012 Project with OpenId Connect and Azure AD

I have to say I am pretty surprised by the attention that last week's OIDC OWIN+WebForms post has garnered. Had I known, I would have posted about it much earlier!

In the same spirit, here there's another quick tutorial addressing a common FAQ: "My company is still on VS2012: can I use the OpenId Connect/WS-Fed [...]

29 Jul 2014 6:34am GMT

28 Jul 2014

feedPlanet Identity

Matt Flynn - NetVision: BMWs and Bicycles: The Value of Complexity

If your ideas about Oracle Identity & Access solutions start and end with the word complexity, you're missing the big picture. Contrary to what competitors might be telling you, Oracle's current IAM solution looks nothing like a conglomeration of distinct, aging products. If you want to know about today's Oracle IAM solutions, consider concepts like: common data model, consolidated feature set, shared services, unified admin and operational consoles, and a lower TCO than managing multiple point solutions.

It didn't happen by accident. Oracle has a large, diverse, and talented team of engineers and developers. I'm consistently impressed by the level of talent roaming the halls at Oracle. And the team knew years ago that continued innovation was important. They intentionally expended significant effort to rationalize the product backend so that it's not simply multiple integrated products. Did you know that Oracle uses a single connector for user provisioning, access governance, and privileged account management? Did you know that Oracle's provisioning product also provides access requests, risk scoring, and entitlement reviews in a single product? (not a license bundle - a single installed product)

Can the entire solution be downloaded onto a smartphone and installed in 3-5 minutes? No. But, the solution can meet any current or future Identity & Access requirement with a modular, unified approach to Identity & Access for legacy, enterprise, cloud, mobile, and social use-cases. And there are numerous customer case studies that demonstrate Oracle's IAM technology has already been implemented in mobile, consumer, and IoT scenarios with extreme scale. Claiming that Oracle can't handle third platform use-cases is either ignorant or deceitful. Which it is depends on who you're talking to.

That's not to say that there aren't IAM solutions on the market that offer less complexity. But let's investigate complexity for a moment.

Is complexity good or bad?

If you already answered, you're missing the point. The reality is that complexity should be commensurate with your needs and the optimal amount of complexity will depend on the context.

A BMW is more complex than a bicycle. If your goal is take a leisurely ride through a park to enjoy the weather while getting some exercise, then a bicycle may be a great fit. And a BMW will miss the mark entirely. If the goal is to find a vehicle for your daily commute to work, you might still opt for a bicycle but you'll be balancing the desire for less complexity with the BMW's feature advantages of getting you there quicker, shielding you from the weather, and requiring less effort. If your intended use-cases involve cross-country trips or travel in severe weather, the complexity of BMW engineering becomes a thing of desire. And if you fall in love with the way a BMW handles corners at speed, well... let's just say you may stop thinking about complexity altogether.

Getting back to IAM, here are some IAM features to consider:

When you begin to think about how these capabilities can be used to enable new business opportunities, it starts to feel like a BMW approaching a corner. And you'll be glad you're not on a bicycle.

28 Jul 2014 8:21pm GMT

Vittorio Bertocci - Microsoft: Org Navigator: a Mobile App leveraging Azure AD Graph

One big feature I've always missed in Windows Phone is the ability to look up people in the directory when I get mails from unknown colleagues.

Sure, the Contacts hub helps you to find out phone, email and even office location - but many important questions remain unanswered. What team is this guy in? What [...]

28 Jul 2014 3:36pm GMT

Julian Bond: Words I dislike, #23 :

Words I dislike, #23 :

[from: Google+ Posts]

28 Jul 2014 6:30am GMT

27 Jul 2014

feedPlanet Identity

Anil John: Should Level of Assurance be Scalar or a Vector?

Should LOA be a single number or be made up of components that make up that number?

27 Jul 2014 5:15pm GMT

Julian Bond: Today's neologism: "Accelerationista". Who are they? What do they stand for?

Today's neologism: "Accelerationista". Who are they? What do they stand for?

I've also told the stories of accelerating change. Especially in the run up to Dec 2012. And I'm still fascinated by the implications of exponential growth with short doubling periods. But as I get older I wonder where the change is. In many respects 2014 doesn't feel that different from the 1974 of my youth. 2054 could easily be more like 2014 than different. But that presupposes continuing 3% growth in global GDP with sufficient available energy to fund that growth. And that's something I increasingly doubt is sustainable for another 40 years.

Found here.

Incidentally, this is a most interesting essay. It touches on something I've been vaguely aware of. And that's a move in music towards a very cold, clean, antiseptic version of electronic maximalism. It's not just people like Rustie, Logos, Lone, Jam City. But also in erstwhile dirty dubstep producers like Shackleton of Skull Disco apparently recapitulating the kind of ultra clean synth programming of the German Kosmische Musik groups of the late 70s like Tangerine Dream - ‎Neu! - ‎Faust - ‎Amon Düül II.

How are we supposed to react emotionally to musics that make one think of climate change refugees breaking down CCTV secured border fences and then being bombed by drones. Are we closing in on a future where we are all Palestinians and this music is just reflecting that?  That's a pretty dark view. Previous music that provided a commentary on war tended to emphasise the dirt and messiness of warfare. This music is emphasising the cleanness of drone warfare waged from cubical farms in air-conditioned offices with water coolers, office hours, powerpoint and donuts.
 Pattern Recognition Vol. 9: Cold Forecast »
This month, Adam Harperâ€"the premier writer on new, underground musicâ€"considers musical futurism and finds a paradox in its chilly anti-humanism.

[from: Google+ Posts]

27 Jul 2014 11:54am GMT

Julian Bond: Why is the colour of the digital future predominantly blue?

Why is the colour of the digital future predominantly blue?
digital future - Google Search »

[from: Google+ Posts]

27 Jul 2014 11:37am GMT

26 Jul 2014

feedPlanet Identity

Julian Bond: Stay Awake

Stay Awake

Schwa merch, original and recreated on etsy.
Alien Autopsy: William Barker on Schwa, two decades later »
Twenty years ago, William Barker's Schwa artwork revealed a world of alien abductions, stick figure insanity, conspiratorial crazy, and a hyper-branded surveillance state. It's now more relevant than ever.

[from: Google+ Posts]

26 Jul 2014 10:55pm GMT

Kaliya Hamlin - Identity Woman: I've co-founded a company! The Leola Group

Thursday evening following Internet Identity Workshop #18 in May I co-Founded and became Co-CEO of the Leola Group with my partner William Dyson. So how did this all happen? Through a series of interesting coincidences in the 10 days (yes just 10 days) William got XDI to work for building working consumer facing applications. He [...]
Related posts:
  1. In Seattle Next week starting on the 10th

26 Jul 2014 4:56pm GMT