I have in my web application a role called “Administrator”. Users who have this role should be able to modify the information about the registered users.
I am thinking about displaying a table with the user details such as e-mail, username, and be able to change them but I don’t know what should I do if a users comes to the office physically, goes to an admin and asks for a password change (yes they can do that). Should the admin just press a reset button over the row and tell the user to check his e-mail when he arrives home and proceed with the recovery? (reset link for example) Or should the administrator reset the user’s password and give him his new password in that very moment? The second approach is preferable as I was asked to do that…
I know that the admin shouldn’t be able to see the original password as it should be hashed and unknown.
What are your thoughts about this? How would you implement this functionality? Thanks for your help.
There is no one perfect answer for this question. The question of workflow will always be dependent on the specific use-cases of an application and will depend on the context it is built in.
That being said, you are right about one thing – it is horrible, and I do mean horrible, security breach to let an Admin or any other user view a clear text password for someone else. So that’s definitely off the table.
In your case, it seems giving the admin the right to change someone’s password is the way to go. If you’re worried about how it looks, don’t be. Google Apps allows domain administrators to change the password for any email account under that domain.
Finally, I would suggest a small additional safety measure. When an Admin changes another user’s password, store the old encrypted password in a column, don’t delete it. When the admin set’s the new password, shoot out an email to the user saying “Your password was changed by the Administrator, if you did not request for this, please click here”. When they click on the link in the email, simply overwrite the new password with their old one.
That way in case an Admin is changing passwords without the user requesting it, you have a recourse for the user and the logs will keep you informed of how many time an admin has had a password reset revoked by the user.