WebApp Sec mailing list archives
RE: Account Lockouts
From: "Cunningham, Andy" <acunningham () rsasecurity com>
Date: Tue, 7 Dec 2004 11:04:33 -0000
For resetting passwords, one technique is to leave the password information on that user's voicemail. Ok, there's the chance that their voicemail could be compromised too, but it does add a level of difficulty for the attacker. Andy -----Original Message----- From: Skander Ben Mansour [mailto:securityfocus () benmansour net] Sent: 04 December 2004 21:26 To: 'Dean Saxe'; 'David LeBlanc'; 'Harrison Gladden'; webappsec () securityfocus com; secprog () securityfocus com Subject: RE: Account Lockouts Hello Dean, In many environnements, the helpdesk could be able to call back the user on a known telephone number. This method also has its flaws, but is quite common in corporate environments. Similarly, banks should have their customers' telephone number in their records. Best regards, Skander Ben Mansour, CISSP --- http://www.benmansour.net/ -----Original Message----- From: Dean Saxe [mailto:Dean.Saxe () DigitalInsight com] Sent: Thursday, December 02, 2004 4:49 PM To: 'David LeBlanc'; Harrison Gladden; webappsec () securityfocus com; secprog () securityfocus com Subject: RE: Account Lockouts Even if the user calls, how do I know you are the user in question and not someone impersonating the user? I don't have a great answer for this and its a question that comes up regularly when dealing with locked out accounts or resetting passwords.
Current thread:
- Re: Account Lockouts, (continued)
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Re: Account Lockouts Valdis . Kletnieks (Dec 03)
- RE: Account Lockouts Skander Ben Mansour (Dec 06)