Home page logo

webappsec logo WebApp Sec mailing list archives

Re: Password Recovery (long) was Re: "Forgot Password" function
From: "Sverre H. Huseby" <shh () thathost com>
Date: Sat, 19 Oct 2002 18:22:40 +0200

Good read, Charles!  I just have one comment:

[Charles Miller]

|   Encrypted Email
|   ===============
|   A secure channel method, sending an email encrypted with some
|   secret only known to the customer is possible, but is sufficiently
|   impractical that it only deserves one sentence here.

If the user was allowed to upload or paste his PGP/GPG/whatever public
key during registration, this isn't impractical at all, as I see it.
Of course, most people don't have such a key.  But at least we leave
it to the user to decide if he wants to have the password encrypted
rather than in clear text.

Hopefully the password to activate the private key isn't the same as
the password the user just forgot...  ;-)


shh () thathost com             Computer Geek?  Try my Nerd Quiz
http://shh.thathost.com/        http://nerdquiz.thathost.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]