gnuherds-app-dev
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Hide email validation in "Lost password" page? -- Security bug

From: Victor Engmark
Subject: Re: Hide email validation in "Lost password" page? -- Security bug
Date: Wed, 18 Apr 2007 17:17:39 +0200
On 4/18/07, Antenore Gatta <address@hidden> wrote:
Obviously I agree as well...

What about an additional step to check also the user ID?
I mean:

1. Generate a (random?) user ID for all the already registered users
(the same during registration).
2. Send the user ID by email.

When the user asks for the password reminder he must provide both
email and user ID.

This is to avoid brute force attack, i.e. the user johnHerds with
email address@hidden

The drawback is that we need also a user ID reminder.... But it's quite secure.

I think the last remark is the problem. We should ask for only one thing, a user name or an email address. I believe the email address is the easiest to use, and it seems that most new services on the web agree. Speaking only for myself, I've used at least four different user names, but only one email address, for registration on the web.

By the way, we should implement some way to change the email address. For that reason, it should not be (part of) the primary key in any of our tables (I'm too lazy to check this now).

Actually, we could consider OpenID or public / private keys. The latter, however, would probably be technically difficult to make properly secure, very few end users know how to use them, and it should provide some additional value to just password retrieval to make sure people register their public keys.

--
Victor Engmark
Quidquid latine dictum sit, altum videtur - What is said in Latin, sounds profound
reply via email to
[Prev in Thread] Current Thread [Next in Thread]