Secret Questions

[Obewanz]

Just uploaded a new contribution that removes the password being sent via email and replaces that operation with new functionality. This contribution will use "Secrets" to allow the customer to reset their password via a secured page. (You should have this if you are running a live site and accepting payments without a third party processor - such as paypal.)

 

Anyway, find the contribution and read the introduction here: http://addons.oscommerce.com/info/5781 (Secret Questions in Other)

 

I'm interested in hearing feedback so let me know what you think.

 

PS: I'm sure that I messed up on the first post regarding this contribution and I couldn't see a clear category to put it in as it wasn't a payment module, etc. :blush:

[Obewanz]

Has anybody even been interested in this contribution?

 

Please let me know how the installation goes if you use it. That will help me for future contributions. ;)

[Guest]

Has anybody even been interested in this contribution?

 

Please let me know how the installation goes if you use it. That will help me for future contributions. ;)

I have been interested, but have not had the time to install on the test site (doing another project there). However, and I had been meaning to ask this, when you do have the username and password and you put them in correctly, you still get asked one of the secret questions.

[keith_sch]

Has anybody even been interested in this contribution?

 

Please let me know how the installation goes if you use it. That will help me for future contributions. ;)

 

Hi,

 

I just installed your Secret Questions contribution, the install went smooth and all seems to be working mighty fine.

 

I do like the idea of the customer being able to reset their forgotten password right away without the need for them to retrieve an email that will take their attention away from the store.

 

Many thanks for your hard work!

[Obewanz]

I have been interested, but have not had the time to install on the test site (doing another project there). However, and I had been meaning to ask this, when you do have the username and password and you put them in correctly, you still get asked one of the secret questions.

Leslie,

You should not be asked for the secret question if you have the userid and password, unless the user's "Secrets" are blank in the database - at which point the user is notified via a "warning message" that they don't have any Password Secrets and should create them. In this situation, it also takes them to the password_forgotten.php page which sees that they are logged in, but need secrets, so it doesn't ask them for their email. (The first step in resetting) It actually just asks for the secret question and secret answer, the "Secrets", and then redirects to the index.php page when these are entered correctly.

 

The contribution sets up a default min length and max length for the secrets which can be changed via the configuration menu in the Admin panel to whatever you like. (You would have to change the database fields in the customers table if you want to exceed the default maximum for these.)

 

Hope this helps!

[Guest]

Leslie,

You should not be asked for the secret question if you have the userid and password, unless the user's "Secrets" are blank in the database - at which point the user is notified via a "warning message" that they don't have any Password Secrets and should create them. In this situation, it also takes them to the password_forgotten.php page which sees that they are logged in, but need secrets, so it doesn't ask them for their email. (The first step in resetting) It actually just asks for the secret question and secret answer, the "Secrets", and then redirects to the index.php page when these are entered correctly.

 

The contribution sets up a default min length and max length for the secrets which can be changed via the configuration menu in the Admin panel to whatever you like. (You would have to change the database fields in the customers table if you want to exceed the default maximum for these.)

 

Hope this helps!

Sorry Ben, sloppy wording in my post. I meant that I would like to see a random secret question come up even when the password and userid are correct. This is the way citibank does it. Just extra protection, but not vital.

[Obewanz]

Sorry Ben, sloppy wording in my post. I meant that I would like to see a random secret question come up even when the password and userid are correct. This is the way citibank does it. Just extra protection, but not vital.

Leslie,

I don't really see this providing much in the way of extra protection when you evaluate the impact on the customer. As for Citibank, well they are a bank and as such try to make things a bit inconvenient in the name of security. When I worked at NASA, we had systems that required you to change your password every week, you couldn't write the password down and it had to contain both alpha and numeric characters with a length no less than 7 characters. This was what I would call a secure system except that you could remove some of the data once you gained access - but this is not a viable security setup for an ecommerce site as NO ONE would ever be able to purchase from you - you would probably be better off using (Purchase Without Account) and just leave it at that.

 

Now that I've had a rant - sorry :blush: - I'll get back to the original question; why would you want something to come up random like that on an ecommerce site? Seems to me the customers would be more annoyed as the login process would change periodically.

 

If you REALLY wanted that feature, it would be easy to implement in the existing contribution by adding a "check" field in the customers table and writing a little random number generator (one may already be in the general functions library) to pop into that field an integer, each login decrements the value by 1 and when it hits 0, the "Secrets" get presented. Of course the login.php page would have to be where this happens, but that is another simple modification.

[Obewanz]

After having a second to read what I previously posted about how the contribution might be modified to accomodate your request, I realized that I stated the "check" field going into the customers table, that would be incorrect - it should go into the customers_info table as that table is updated with each login, thus reducing the overall number of queries. I would probably call this field something like "secret_check" and give it an integer field type with a length of 3 and a default of 0. That would force all new logins to deal with the password secrets.

 

The next step would obviously be to write the random number generator and update the code in login.php as well as password_forgotten.php (call rnd generator and update "secret_check" since customer has just accessed the secrets) to handle the logic regarding when to present as well as decrementing the "secret_check" number and resetting the value once presented. Oh and the create_acccount.php page should probably be modified to dump the rnd number into "secret_check" as well since this is where the account would start off.

 

This is probably not something that I would write anytime soon as I have other obligations at the mooment, but you can PM me if you want to discuss when/where, etc this might happen, if you really want it.

Edited March 6, 2008 by Obewanz

[Guest]

After having a second to read what I previously posted about how the contribution might be modified to accomodate your request, I realized that I stated the "check" field going into the customers table, that would be incorrect - it should go into the customers_info table as that table is updated with each login, thus reducing the overall number of queries. I would probably call this field something like "secret_check" and give it an integer field type with a length of 3 and a default of 0. That would force all new logins to deal with the password secrets.

 

The next step would obviously be to write the random number generator and update the code in login.php as well as password_forgotten.php (call rnd generator and update "secret_check" since customer has just accessed the secrets) to handle the logic regarding when to present as well as decrementing the "secret_check" number and resetting the value once presented. Oh and the create_acccount.php page should probably be modified to dump the rnd number into "secret_check" as well since this is where the account would start off.

 

This is probably not something that I would write anytime soon as I have other obligations at the mooment, but you can PM me if you want to discuss when/where, etc this might happen, if you really want it.

Hi Ben

 

Thank you for your reply.

 

I have another project that we have been trying to get off the ground for some time, but is on the backburner for the foreseeable future. The holdup is the uptake of the product by the agencies. It is here that I was thinking of using the secret questions as extra protection. Since it may never happen, it is not so important.