WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Password Recovery (long) was Re: "Forgot Password" function

From: "Sverre H. Huseby" <shh () thathost com>
Date: Sat, 19 Oct 2002 18:22:40 +0200
Good read, Charles!  I just have one comment:

[Charles Miller]

|   Encrypted Email
|   ===============
|   
|   A secure channel method, sending an email encrypted with some
|   secret only known to the customer is possible, but is sufficiently
|   impractical that it only deserves one sentence here.

If the user was allowed to upload or paste his PGP/GPG/whatever public
key during registration, this isn't impractical at all, as I see it.
Of course, most people don't have such a key.  But at least we leave
it to the user to decide if he wants to have the password encrypted
rather than in clear text.

Hopefully the password to activate the private key isn't the same as
the password the user just forgot...  ;-)


Sverre.

-- 
shh () thathost com             Computer Geek?  Try my Nerd Quiz
http://shh.thathost.com/        http://nerdquiz.thathost.com/
Previous By Date Next
Previous By Thread Next

Current thread: