WebApp Sec mailing list archives
Re: Example of the worst passwd recovery interface
From: Javier Fernandez-Sanguino <jfernandez () germinus com>
Date: Fri, 05 Aug 2005 13:53:31 +0200
Yousef Syed wrote:
On the otherhand, you have sites (my bank is similar) that make password retrieval difficult/impossible. Though this could be inconvenient, I'd prefer my bank to deal with me in this manner.
Forcing users to retrieve passwords offline (i.e. going to the bank branch as somebody mention) when they get blocked is actually a security feature. It not only helps prevent against deploying insecure password retrieval mechanisms, it makes online attacks much more difficult (somebody has to physically go to the branch, get recorded on a camera while he is in, etc. and an attack cannot be fully automated)
Just my few cents Javier
Current thread:
- Example of the worst passwd recovery interface Saqib Ali (Aug 03)
- RE: Example of the worst passwd recovery interface Marc Heuse (Aug 04)
- RE: Example of the worst passwd recovery interface Irene Abezgauz (Aug 04)
- Re: Example of the worst passwd recovery interface Saqib Ali (Aug 11)
- Re: Example of the worst passwd recovery interface Saqib Ali (Aug 04)
- RE: Example of the worst passwd recovery interface Irene Abezgauz (Aug 04)
- Re: Example of the worst passwd recovery interface Christopher Canova (Aug 04)
- Re: Example of the worst passwd recovery interface Yousef Syed (Aug 04)
- Re: Example of the worst passwd recovery interface Javier Fernandez-Sanguino (Aug 05)
- <Possible follow-ups>
- RE: Example of the worst passwd recovery interface Wall, Kevin (Aug 06)
- RE: Example of the worst passwd recovery interface Marc Heuse (Aug 04)