CSC/ECE 517 Fall 2016/E1690 Improvements to password recovery and repeated login failures: Difference between revisions

E1690 Improvements to password recovery and repeated login failures

This wiki page is for the description of changes made under E1690 FinalProject for Fall 2016, CSC/ECE 517.

Background

Expertiza is an Open Source web application developed on Ruby On Rails platform. It is a platform which allows students to access assignments posted by the course instructor. Expertiza also allows students to select assignment topics, form teams and submit their work. It also allows them to review other students' submissions and improve their work based on the feedback provided. The instructor can look at the feedback provided by students and rate the student based on feedback provided for others work. It helps organize and upload assignments and reducing the manual review process and helps students provide a peer feedback and also learn from reviewed work. Teams can be chosen by the student or can be assigned automatically based on a priority list inputted alongside each topic available for the assignment.

Project Description

Our final project consists of two cases of the password recovery process. Use case 1, Currently, when a user forgets his/her password and wants to reset the password, Expertiza system randomly generates a new password and sends the password as plain text in a email. It is normally considered as a bad practice to send passwords as paint text. We are replacing this practice by sending a reset password link that expires after a certain amount of time. Use case 2 deals with when a user enters wrong credentials. Currently, the login page simply shows an error. Irrespective of the number of times that a user enters wrong login credentials, the system produces a general error message. We are going to be replacing this system by using the alternative 2, using a captcha to verify that the user is indeed a human and not a bot trying to run a brute force attack on the system. This will add the needed layer of security and should serve as a great solution. Below are more details of our planned implementation.

Files Created/Modified

As a part of the project the files mentioned below were the ones, created/modified as needed. auth_controller.rb reset_password.rb (model) reset_password.html.erb (vie)

Implementation

We are going to implement the new password recovery system by sending a reset password link to the users email. This link will be comprised of a generated path to a newly created view for resetting the password with a uniquely randomly generated parameter. This parameter will be a string attribute of a new model we are creating called reset_password. This link will expire after a given amount of time. Using logic to compare the createdAt timestamp as well as the current time, we would be able to program the idea of an expired link.

We are also implementing a backoff system that will require the user to complete a smart captcha after 3 failed attempts. This smart captcha will be generated through Recaptcha gem and the user will then be redirected to the login page after successfully changing the password. This will ensure that the system is not vulnerable to Brute Force attacks as well as bots.

Model Schema

Model: reset_password

Attributes -id(autogenerated) -integer -unique_tokenhash -String -createdAt (autogenerated) -timestamp -user_id -integer (Foreign key to user table)

Model Details When the user clicks on reset password, it will redirect to a view that has an input to enter the email address of the user. Reset password button will generate a random token (Long string) which will be hashed and saved in the database of the model reset_password. An expiration date will be generated and saved along with the user_id by looking up the user table using email id. The unhashed Token value will be appended on the url emailed to the user for the password reset page.

www.expertiza.com/resetPass?username=random&token=ZB71yObR-Tdssg-@#%

On clicking the url, the link will take you to a controller that will direct you to a reset page. Before redirecting , the controller checks the parameters in the link (username and token) and makes sure that token username pair exists and not expired. Token from the params will be hashed again and checked with the db. This prevents an attacker who has read access to the database from making a token for some other user, reading the value that was sent in the email, then sending the same value himself. Once the controller completes all the necessary checks, it will redirect to a reset password page for that specific user (based on the user_id / username)

Captcha

The project will be using ReCAPTCHA gem. ReCAPTCHA is a free service from Google that helps protect websites from spam and abuse. A “CAPTCHA” is a test to tell humans and robot apart. This kind of service is important for websites or web applications with lots of user generated content. The test is easy for a human to solve, but hard for bots and other malicious software to figure out.

After 3 failed Login attempts, a captcha would appear to make sure that a bot or a malicious software is not trying to attempt login using brute force.

Test Cases

Following methods and functionalities will be tested using rspec

1. Check if Hash is being generated as per required. 2. Check if targeted user_id and user_mail are extracted from db 3. Check if the link generated is of desired format 4. Check if mail functionality is called. 5. Check if token and user_name are extracted from the url 6. Check if successful reset password changes record in DB 7. Check status triggered by reCAPTCHA Gem