| Re: Most secure way to reset a password via email link [message #185167 is a reply to message #185165] |
Wed, 05 March 2014 22:44   |
Peter H. Coffin
Messages: 245
Registered: September 2010
Karma:
|
Senior Member |
|
|
On Wed, 05 Mar 2014 14:26:21 -0700, Chuck Anderson wrote:
> J.O. Aho wrote:
>> On 05/03/14 14:02, jvd_200089(at)yahoo(dot)co(dot)uk wrote:
>>
>>> 2) The other way involves sending a link for them to click on that
>>> redirects them to the password reset page but unless their email
>>> is secure anyone could click that link.
>>
>> Sure, but you could use those really stupid questions like "what was
>> your mother maiden name" to make it a bit more difficult to just
>> hijack when someone taken over someone else mail account.
>
> Yes, ... I hate these challenge question schemes. I do not like being
> forced to share things like my mother's maiden name - or other, perhaps,
> private information with other people. Do they hash those answers, too?
> If not, it's like giving away the keys to any other site where I use
> that. If I pick a random question and supply a random answer, how do I
> remember it?
>
> I noticed that my answer at one site can be mistyped slightly and still
> pass. This would imply that they are saving this information in plain
> text. Stupid is as stupid does.
This is not primary authentication -- it's *typically* designed only to
limit the number of spurious passwords resets you could be deluged with.
Someone has to know enough about you to pass that hurdle to even send a
reset. My own sites use a delay mechanism; only one link to reset an
account password will be generated per day. Miss that link, you'll be
trying again tomorrow instead. (The link mailed is what starts the
invalidation/reset process. Merely having the reset link sent doesn't
affect the account at all, save setting a "reset link request date" that
must be in the past before a new reset link can be sent.)
> I think this kind of thing (and requirements on password strength)
> create a security problem of their own by forcing people to record this
> information somewhere and then keep it handy.
Go ahead and write it down. It's more secure these days to record
passwords only you have access to than it is to NOT record whatever
handful of memorable passwords, even combined with some kind of "mental
hash".
--
60. My five-year-old child advisor will also be asked to decipher any
code I am thinking of using. If he breaks the code in under 30
seconds, it will not be used. Note: this also applies to passwords.
--Peter Anspach's list of things to do as an Evil Overlord
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]