up vote 3 down vote favorite

In a hypothetical website, there are two types of users, admin users and normal users. Normal users can change their own password, and in keeping with best practices are required to provide their current password when doing so.

Admin users can change the password of any user. Should they be required to confirm their password when doing so?

share|improve this question
New contributor
Robin Salih is a new contributor to this site. Take care in asking for clarification, commenting, and answering. Check out our Code of Conduct.
  • Admin must be authenticated before doing administrative tasks, such as changing other user's password. Admins do not have to know the user's passwords (old and new) to do so. Admins can be asked to input some data that cannot be automated, such as typing their password, before performing sensitive administrative tasks to prevent XSS attacks. – A. Hersean 12 hours ago
up vote 2 down vote

This is an anti-pattern of least privilege principle. In common case, a "reset password" button should be enough, which will lead a target user to password reset form.

But if you need exactly "set new password" button, then you shold consider two relevant attack vectors - CSRF and XSS. If you'll mitigate them well - that should be pretty enough without additional authentication.

share|improve this answer
New contributor
odo is a new contributor to this site. Take care in asking for clarification, commenting, and answering. Check out our Code of Conduct.
up vote 0 down vote

Admin users can change the password of any user. Should they be required to confirm their password when doing so?

The website could prompt the admin user for his password on each setting change including password reset for normal user.
Regardless of this policy being good or bad, you want just confirm that the right user is performing admin tasks, this is different for normal user case where the purpose of requesting current password is to make sur the right user has access to right account.

share|improve this answer
up vote 0 down vote

Probably not beneficial to make them re-enter their password for an action like resetting a user password - you already made the admin user authenticate to your system. You could make every user enter their password for every possible action and it would be “more secure,” but not meaningfully so. Additionally, resetting a password is not an especially sensitive action for an admin user to take (not like deleting a resource, for example)

Assuming you are already properly authenticating the admin user in the first place, and that you are protecting from other cross site attacks, this would only really address two scenarios

  1. Your website doesn’t automatically log out users, and an admin user logged on the left their workstation available for another person to physically hijack - an extra password check would mitigate this (admittedly unlikely) vulnerability. You should be automatically logging users off at regular intervals of inactivity anyway, particularly privileged users.
  2. You want to make the admin consider carefully if they actually want to perform the reset - analogous to deleting a repository on GitHub it a virtual machine in Azure where you have to type the name of the resource you’re trying to delete. Resetting a password is typically not as big of a deal as deleting resources though, so this also seems not very beneficial compared to the hassle for the admin users.

Not much benefit in any case. You would be better served by making sure things like two-factor authentication work and protecting against cross site attacks.

share|improve this answer
  • "and that you are protecting from other cross site attacks" - Filtering cross-site attacks is never perfect, so it's reasonable to take extra steps for such a sensitive function. Requiring that the admin re-enter their own password will hard shut down CSRF, XSS, etc, and make clickjacking far more difficult. – ThrawnCA 4 hours ago

Your Answer

Robin Salih is a new contributor. Be nice, and check out our Code of Conduct.
 

By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.

Not the answer you're looking for? Browse other questions tagged or ask your own question.