Home page logo
/

basics logo Security Basics mailing list archives

Re: How secure is Email based password reset?
From: "Anders Reed Mohn" <anders_rm () utepils com>
Date: Wed, 14 May 2003 12:17:01 +0200


----- Original Message ----- 
From: "S. Rohit" <s.rohit () usa net>
    This is a very neat and elegant solution proposed by Dan. The only
problem in this solution can be to ensure that the SSL session does not
time
out before the email is recieved by the user.

Good point.
There is also another flaw with this approach:  many questions can be
answered
with different spellings. This would mess up the hash,
For instance:  if the question is "What is your favourite pet?", the
original answer
could well have been "the dog", but the user might try "dog", "a dog", "my
dog" or "Fido",
when trying to answer it. These are equally good answers, but won't work.


Cheers,
Anders :)


---------------------------------------------------------------------------
Thinking About Security Training? You Can't Afford Not To!

Vigilar's industry leading curriculum includes:  Security +, Check Point, 
Hacking & Assessment, Cisco Security, Wireless Security & more! Register Now!
--UP TO 30% off classes in select cities-- 
http://www.securityfocus.com/Vigilar-security-basics
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]