Indicate that password reset was initiated by an admin when an admin resets a user password
Problem to solve
A GitLab admin currently has the ability to reset a user's password from the UI or the API, but the email that is sent out is the same as if it was initiated from the account.
In a security remediation scenario, where an administrator needs to reset the password of a suspected compromised user account, the text of the email should indicate that the action was initiated by an admin.
The email is sent out when the password change is made via the API and in the rails console directly:
user.password = 'secret_pass' user.password_confirmation = 'secret_pass' user.save!
- Sidney (Systems Administrator)
- Sam (Security Analyst)
Adjusting the text to indicate that an administrator performed the change would greatly improve the communication process when having to reset accounts due to activity such as credential stuffing.
Change the text sent out when the password is reset by the admin to read:
An administrator has changed the password for your GitLab account on http://localhost:3001. Please contact your administrator with any questions.
Further work would be to allow the admin to specify an additional message to be included in the email.
Permissions and Security
Only Admin users should be allowed to reset a user's password or force a password change.
The documentation should be updated to indicate that an email is generated when a password change is done by an admin.
What does success look like, and how can we measure that?
While remediating credential stuffing attacks that are successful due to password reuse, resetting the affected account passwords must be done along with a notification email. Because the timing of the additional notification email and the delay in sending out bulk message, a number of support issues are filed. The number of support tickets should decrease after this change is made.