Current state of Application
We got a huge user base currently and we had requiresUniqueEmail="false" setting from day one bcse business required such.
So our password recovery was done via UserName.
Issue/Problem
Suddenly the business wants the password recovery to be done either by Username or Email. But bcse we never had unique emails in the system (in few cases no email), we are having quite a few duplicate emails in the system. For example, xyz#xyz.com is assigned to 10 different usernames.
How can I tackle this situation in best possible way?
I was thinking along the lines, if a user selects by email, I will go ahead and send all the usernames which are associated with this email. Is that a good option?
Would love to have more ideas on this. I am sure someone should have had this sort of issue before.
When accounts were set up did it send out a validation email to ensure people only subscribed using email addresses they owned? If so then you could send out all username's safe in the knowledge the owner of the email created them. If you didn't require validation then possibly anyone could get the email and read someone else's account.
You can use email to narrow down to a single username recovery. For example:
Given a set of 10 usernames with the same email "email#domain.com"
When I click "Recover Password By Email"
And I enter "email#domain.com"
Then I should see the message "select which username you want to recover"
And I should see a list of the 10 usernames
When I click on the username "username1"
Then I should receive a password recovery email for the "username1" account
at the "email#domain.com" address
This way, you're still doing recovery by username, but only when the email has more than 1 username match.
I don't like the idea of sending the password recovery to all usernames. The user may have only forgotten one password.
Related
I know how to send an email with C#. To do that, I need to know the user and password of the user.
I have a base knowledge about how to store the password using a hash + salt, to store the hash of the password, so each time that the application get the password, do the hash and compare with the value of the generated hash. This is good for login, because the user type the password to can use the application.
However, for send an email, I would like to avoid that the user has to write the password of the email, so the solution for the login doesn't works for this case. I would like to store the password in the database in someway and the aplication can get it. The problem is that if I store the hashed password, the aplication can't get the password because the hash in one way encryption.
So I would like to know what alternatives I could use to store the password in a secure way in the database and the application can get it to send the emails.
Thanks.
Ideally, emails are sent using a default or common email Ids by services. But, in your case if service is being used by many users for sending emails, you should ask user(first time) to logging into it and then you can generate a session(for a specified time period) and based on this you should send emails. Once a session key is expired, user should be forced to re-logging.
So, a session is generated for each user, after successful logging, who are to use this service for emails.
So, this would not require to save password anywhere, as saving a password in it's original form or any other form that can be retrieved-back is not advisable.
I want to add this feature to my application. It works OK but I'm afraid of a problem here. At first, I'll talk a little about how I implement the feature. Simply, the user has to register his email address first (at the registration time). If he loses his password, he can click on a link to activate the sender. This sender will send the password (corresponding to his username) to his registered email address. I think there should have many kinds of sender here and I'm using SmtpClient to send the email. This Smtp needs a NetworkCredential, and I provide it with some valid and active Credential. I have to create some user accounts (in Gmail and Yahoo networks), apply these accounts information as the credentials for my Smtp.
Here is the problem, my Password restoring feature won't work if all those credentials being invalid or inactive. I mean if all the user accounts (I created in Gmail and Yahoo mail) somehow are inactive, the Smtp will be unable to send the email. The most popular reason for those accounts being inactive is there hasn't been any access/login to them for a long time (e.g: about 3 months) It is almost certain that it will happen, except I have to remind myself to login to those accounts periodically to keep them active.
I wonder if there is any solution for this? I've thought of keeping those accounts information in a config file but the customer won't know how to edit that config file to change the sender credential information and even they know how to, that's so inconvenient. I've also thought of popping up a window requiring information for the sender credential from user (user may use his own email account or has to create a new one), it's also inconvenient, I think so. I've also think of logging to those accounts (via my application) periodically (about once a month) to keep them active. But I wonder if there is a better solution, plus that requires the user computer to be connected to Internet and this is not always met (even there is a situation that the user computer is always off line for months or years, but suddenly one day, he loses his password, he wants to get it back and at that time, he connects his computer to the Internet and uses the password restoring feature, but he can't because all the accounts built-in for the sender credentials has been inactive because of not having any access/login to them for months/years).
Do you have any idea on how to solve this problem?
UPDATE
I'm sorry to who suggested me that there is a security flaw here but I just want a solution for the password restoration. If you are kind enough please let me know what the security flaw is in detail. As I mentioned above, there is of course a security flaw because of the user password (a plain text) is saved in memory. But that's just a demo and it's only for demonstrative purpose for my real problem which is sending the user a new password (or any kind of authoritative access info). Here is what I want to explain more:
Suppose user's password is: Iloveprogramming
After hashed, it should be 3920bdbd4c000dd392e2501e89747173
That's all my application knows about user's access info.
When user typed in his password correctly, that entered password should be hashed into the same string above and this will be compared against the hashed string stored in the database and he should be logged in.
Now if he forgets his password, What can I do?
Here is the way most of websites do for us (who unfortunately forget our passwords):
- Support a link like "Forgot your password?"
- Clicking the link will lead you to a page like this:
-> Supply your user name: ............
-> Click OK (or any submit button) to get your new password.
I would like to do the same with my application. This is a windows forms application. I know that the content sent to the user email address should only be some confirmation link (about the password restoration), not a password (this is known only by the user who uses the email the password is sent to, however other users may disturb him by clicking on the 'Forgot password' link and fill in his user name). But it is only a must-do for a multi-user application, my application is in fact for only 1 user using on his own machine. What is the flaw?
Here is what I intend to do:
Auto-Generates the password, hashes this password and saves that hashed string into the database as the new hashed password for him. After that, send this auto-generated password immediately to his email address.
Dispose the string which stores the newly generated password.
What is the flaw here? And if it does exist, please let me know another solution for this? I'm just afraid of the email account which is used to send the password to my user's email address may not work (inactive) in future for some reason (as I said, not logging in for a long time).
Please feel free to explain the flaw detail in an answer, it may not answer to my original question but it does help me and I would accept that answer. Thank you!
Again, I don't have money for a dedicated website for the password restoring feature of my winforms application.
I'm looking for the most efficient way to remove users with duplicate emails in my asp.net MVC2 website that is using the default membership provider.
We launched this site and did not set unique emails to true, now that I am trying to implement a Forgot Username/Password feature I've come to realize over 100 users have re-registered as they forgot their password and there was no forgot password feature. This is a problem as I need to have the user enter their email to send them their username and password reset email. This fails since multiple users share an email.
I wish I had noticed the unique email option in the web.config before launch, would have saved a huge hassle. :(
I would like to delete all these accounts easily without having to do it manually 1 by 1, and I will then contact them and let them know their duplicate account has been created.
Whats the best way to go about doing this? Some users have registered with the same email up to 5 times.
You could call Membership.GetAllUsers() to get a list of all users.
Then group by MembershipUser.Email, decide which one to keep (for example, keep the account with the most recent LastActivityDate), and delete the others (Membership.DeleteUser).
It would be trivial to write a small program to do all this. Of course you might want to consider whether you should consult your users before deleting their account. E.g. you could send an email telling them that the account will be automatically deleted if they don't reply within some period.
I am checking the validation for email using regular expression its working fine for me. What if the user give some dummy mailid in the textbox?
How can i check whether the entered mail is valid or not without telling the user to login to that mail and click subscribe link?
Is it possible to check like this..
Thanks in advance
How can i check whether the entered
mail is valid or not without telling
the user to login to that mail and
click subscribe link?
You can not. Point. Thanks to spammers no email server wil lbehave. Some will send you "user doesn ot exist" errors, some will even swallow them.
Plus, legally, youalso have to make sure the subscriber actually OWNS the mailbox, and is not entering someone else email.
The only way which i think is
Send an email to the specified email address , if you don't got a bounced email , email is valid provided by user
Without verifying that the user can actually read email, you can't ensure it's that user's real account.
Many domains accept all mail, and use it for spam analysis on invalid accounts, and a user can easily provide 'real' accounts they don't control. (eg: sales#example.com)
In the new user registration page, how to check whether the email id entered by a user is valid? I want to check the entered email id actually exists before the user submits his information. Please do not give code for checking email id string using regular expression, I want to check whether the entered email id actually exists.
You can not "check" that reliably. You need to "ask", send an email to that address with a secret code that your users must enter on your site, or a link with the secret code that the user must click.
Edit: About the reliably part.
While an SMTP server may respond that a mail address is invalid they usually don't, because that would help spammers identify valid addresses more easily. That would also require your code to talk directly to the SMTP servers responsible for each domain. Usually you send mail though your local SMTP server that does the job of forwarding the mail to the right recipient(s).
What you can do however is at least check that the domain exists by asking your favorite DNS service.
In order to do this, you'd need to telnet to the email provider in order to check if it exists. Hotmail, for one, will not allow you to do this.
You should be using membership system for your ASP.net registration form.
Here is a good article explaining how it all works:
https://web.archive.org/web/20211020202857/http://www.4guysfromrolla.com/articles/120705-1.aspx
Including a page on how to verify email addresses like you describe
The only 100% accurate method is to send it an email and ask the user to click a link in that email to complete registration.
Short of that, there is a falible method of connecting to the mailserver. I'll see if I can find a good article(here you go) and edit this post with a link shortly.
This depends on the email provider. most of the providers block this option to prevent spammers from knowing which address is valid...