Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Self-service password reset approaches

From: Chris Edwards <chris () ENG GLA AC UK>
Date: Fri, 17 Feb 2012 12:19:18 +0000
On Tue, 14 Feb 2012, Kevin Shalla wrote:

| If the account is compromised and the villain changed the password so 
| the account owner cannot log in, then we may lock the account if we 
| think it's really been compromised, but require the owner to come in to 
| get a new password

Right.


| (or if the owner had already set up a backup e-mail, then the person can 
| reset the password by using a link sent to that backup e-mail account).

How do you know the hacker hasn't changed the backup email address to 
one they control ??

It seems to me the "password reset link sent to backup email" plan is fine 
if the user forgets their password, but perhaps should not be allowed if 
the account is locked due to being compromised.  Here, the user needs to 
come in, or at least, re-authenticate themselves in some way the hacker 
cannot tamper with.

Chris


-- 
Chris Edwards
IT Security, Computing Service
University of Glasgow, charity number SC004401
Previous By Date Next
Previous By Thread Next

Current thread: