|
WebApp Sec
mailing list archives
Re: Password Recovery (long) was Re: "Forgot Password" function
From: "Sverre H. Huseby" <shh () thathost com>
Date: Sat, 19 Oct 2002 18:22:40 +0200
Good read, Charles! I just have one comment:
[Charles Miller]
| Encrypted Email
| ===============
|
| A secure channel method, sending an email encrypted with some
| secret only known to the customer is possible, but is sufficiently
| impractical that it only deserves one sentence here.
If the user was allowed to upload or paste his PGP/GPG/whatever public
key during registration, this isn't impractical at all, as I see it.
Of course, most people don't have such a key. But at least we leave
it to the user to decide if he wants to have the password encrypted
rather than in clear text.
Hopefully the password to activate the private key isn't the same as
the password the user just forgot... ;-)
Sverre.
--
shh () thathost com Computer Geek? Try my Nerd Quiz
http://shh.thathost.com/ http://nerdquiz.thathost.com/
 By Date 
By Thread
Current thread:
|
Intro
