Security Basics mailing list archives
Re: How secure is Email based password reset?
From: "Anders Reed Mohn" <anders_rm () utepils com>
Date: Wed, 14 May 2003 12:17:01 +0200
----- Original Message ----- From: "S. Rohit" <s.rohit () usa net>
This is a very neat and elegant solution proposed by Dan. The only problem in this solution can be to ensure that the SSL session does not
time
out before the email is recieved by the user.
Good point. There is also another flaw with this approach: many questions can be answered with different spellings. This would mess up the hash, For instance: if the question is "What is your favourite pet?", the original answer could well have been "the dog", but the user might try "dog", "a dog", "my dog" or "Fido", when trying to answer it. These are equally good answers, but won't work. Cheers, Anders :) --------------------------------------------------------------------------- Thinking About Security Training? You Can't Afford Not To! Vigilar's industry leading curriculum includes: Security +, Check Point, Hacking & Assessment, Cisco Security, Wireless Security & more! Register Now! --UP TO 30% off classes in select cities-- http://www.securityfocus.com/Vigilar-security-basics ----------------------------------------------------------------------------
Current thread:
- How secure is Email based password reset? Shekhar Jha (May 07)
- Re: How secure is Email based password reset? Kevin Saenz (May 08)
- Re: How secure is Email based password reset? S. Rohit (May 09)
- RE: How secure is Email based password reset? Stephen (May 08)
- Re: How secure is Email based password reset? Chris Burton (May 08)
- RE: How secure is Email based password reset? Dan Kubb (May 09)
- Re: How secure is Email based password reset? S. Rohit (May 12)
- Re: How secure is Email based password reset? Anders Reed Mohn (May 14)
- Re: How secure is Email based password reset? S. Rohit (May 12)
- RE: How secure is Email based password reset? Nick Owen (May 09)
- Re: How secure is Email based password reset? Brian Eckman (May 09)
- Re: How secure is Email based password reset? Martchukov Anton (May 09)
- Re: How secure is Email based password reset? Brian Eckman (May 12)
- <Possible follow-ups>
- Re: How secure is Email based password reset? Gaurav Kumar (May 08)
- Re: How secure is Email based password reset? brien mac (May 08)
- Re: How secure is Email based password reset? Kevin Saenz (May 08)