On password recovery, what to do if device is already logged in?

Say a user requests a password recovery on a computer. Our system then sends an email with a unique link to recover the account.

However now consider the user receives this email and opens it on his mobile phone (or any other device). He clicks the link, however on this device he is already logged in as another account.

So the naive implementation is that the user gets a password recovery while already logged in. Potentially to another account. This feels awkward an unintuitive: but I can’t really decide on the correct course of action, I see several options and wonder what follow the principle of least astonishment:

  • Should the current behavior be kept, and allowing a logged in user to change the password for another user.
  • Should the current session be invalidated/user logged out upon opening the password recovery link?
  • Should the link just “not work” (forbidden error?) when trying to open on a device where already logged in?

And would this behaviour change if the request is for the “same” user? (IE on the other device he’s already logged in on the user one does a password request for)?

Store passwords in a text file… is it really much worse than a password manager?

My idea:

Storing my passwords in a text file kept on Dropbox and accessed through a python script to quickly retrieve the password for the site I want to access.

My motives:

I want to be platform-independent as much as possible (currently, my passwords are stored in Safari’s integrated password manager). Also I don’t want to use any third party services, free or otherwise, just to store my passwords. I try to be as minimalist as possible even in my online life.

My reasoning:

Firstly, all the passwords for my core services (gmail, apple id, bank, dropbox) are long, random, and only stored offline in my brain + I use two-factor authentication on all of them. So it’s not like I am devising a system that needs to keep my most prized assets. The text file would only include passwords for less important websites and services. The worst that could happen if someone were to get access to the text file is that he posts stupid questions online under my name 😀 …something I don’t think professional hackers usually do.

Furthermore, in order to access the text file containing the passwords, you would need to get into my dropbox (which is protected by a strong password + two-factor authentication), get into my mac (which is protected by a strong password), or access my hard disk (which is encrypted through FileVault).

Also, if someone breaks into my mac they are gonna have access to the passwords kept in safari anyway. Soooo… what am I missing?

PS: keep in my that I don’t know anything about cyber security, encryption, or anything like that. I am not looking for a technical answer that I wouldn’t be able to understand. Thanks.

Website returning plaintext password

I have recently logged into a website. When I clicked on the “Update Profile” page, you are displayed with a list of text boxes for all the user fields, e.g. name, email, phone number etc.

There is also a box for password and confirm password (for if you wish to update these values), however, when you go into this page, those boxes are already populated, which made me think, why are they putting placeholders in?

When going into inspect element, they actually have the values of your password, transformed into upper case like this:

<input type="password" name="txtPassword2" size="45" value="MYPASSAPPEARSHERE"> 

I have also recently noticed that the case of your password or username is irrelevant when logging in – e.g. I can put it in all caps, all lower, or a mixture of both and it will still accept the password.

Is this a security hole and does this indicate they are storing passwords as plain text ?

Random access and changed password email

Few weeks back I had a email from Apple telling me that my account was being tried to logon to from location they don’t recognise “China”. And they have locked down my account. Today I got email “Your password has successfully Reset” where as I never did changed. It had a link for me to go to “Resolution Centre” if it wasn’t me. I am bit confused on if it’s a phishing email or really from Apple? And what does it mean “Password Successfully Reset”

Repeated password entry despite it being visible?

If the signup for a new user account dialog includes an input field to set a custom password which has an option (eye icon) to uncover its current textual contents, should there also be an input field to repeat the password once more which ensures that the user does not mistype it (which uncovering it also does)?

If either a visible password or a repeated password suffices, should the eye icon toggle the repeat password input field?

(This question assumes, of course, that asking the user to repeat their password upon signup is a good UX pattern in the first place. I do not have the possibility to implement a passwordless signup due to organizational restrictions, by the way.)

Protect against password cracking in Windows

I know that exists tools for get the passwords in plain text from memory in Windows (read memory and decrypt password from LSASS process).

This behavior still exists in The Windows Server 2019 ?

Is there any way of avoiding that a local admin user get the password from a Windows machine using some of this tools, for example Mimikatz?


Admin can’t select user to reset password

2011 Macbook Pro running El Capitan. I’m set up as the admin and my child has a standard account with parental controls enabled. My child forgot their password and I’m trying to reset it in System Preferences. I unlock the padlock with the admin password, but my child’s account is still grayed out and I can’t select it to reset the password. This happened about a month ago but one day suddenly I could select their user account and I successfully reset the password. I don’t know why I suddenly could select it, and I don’t know why I now suddenly can’t select it. I tried locking and unlocking the padlock but it didn’t make a difference. There are plenty of resources out there to show me how to reset the password other ways, I’m looking for an explanation of why I can’t select the user account after unlocking the padlock with my admin password.