Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: How secure is Email based password reset?

From: "Anders Reed Mohn" <anders_rm () utepils com>
Date: Wed, 14 May 2003 12:17:01 +0200

----- Original Message ----- 
From: "S. Rohit" <s.rohit () usa net>

    This is a very neat and elegant solution proposed by Dan. The only
problem in this solution can be to ensure that the SSL session does not

time

out before the email is recieved by the user.


Good point.
There is also another flaw with this approach:  many questions can be
answered
with different spellings. This would mess up the hash,
For instance:  if the question is "What is your favourite pet?", the
original answer
could well have been "the dog", but the user might try "dog", "a dog", "my
dog" or "Fido",
when trying to answer it. These are equally good answers, but won't work.


Cheers,
Anders :)


---------------------------------------------------------------------------
Thinking About Security Training? You Can't Afford Not To!

Vigilar's industry leading curriculum includes:  Security +, Check Point, 
Hacking & Assessment, Cisco Security, Wireless Security & more! Register Now!
--UP TO 30% off classes in select cities-- 
http://www.securityfocus.com/Vigilar-security-basics
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: