16) Storing them encrypted with a "reset my password" featur

IWETHEY v. 0.3.0 | TODO

1,095 registered users | 1 active user | 0 LpH | Statistics
Login | Create New User

Welcome to IWETHEY!

Post #185,635

by folkert

11/30/04 6:33:33 PM

11/30/04 6:38:09 PM

16) Storing them encrypted with a "reset my password" featur

16) Storing them encrypted with a "reset my password" feature that emails a new random password reset URL. That URL times-out after 24-36 hours or gets removed if another request is made during the timeout period. If the URL never gets used, the reset never happens, but if it does get used, the password is reset by the requestor on that page. Also, limit the number of requests per day, to evade a Mail DoS.

I hate reminder based password crap, never want someone to have to service my own problems. Let me take care of mine.

--
[link|mailto:greg@gregfolkert.net|greg],
[link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ i_wethey

No matter how much Microsoft supporters whine about how Linux and other operating systems have just as many bugs as their operating systems do, the bottom line is that the serious, gut-wrenching problems happen on Windows, not on Linux, not on Mac OS. -- [link|http://www.eweek.com/article2/0,1759,1622086,00.asp|source]
Here is an example: [link|http://www.greymagic.com/security/advisories/gm001-ie/|Executing arbitrary commands without Active Scripting or ActiveX when using Windows]

Edited by folkert Nov. 30, 2004, 06:38:09 PM EST

4) Storing them encrypted with a "reset my password" feature

4) Storing them encrypted with a "reset my password" feature that emails a new random password reset URL. That URL times-out after 24-36 hours or gets removed if another request is made during the timeout period. If the URL never gets used, the reset never happens, but if it does get used, the password is reset by the requestor on that page.

I hate reminder based password crap, never want someone to have to service my own problems. Let me take care of mine.

--
[link|mailto:greg@gregfolkert.net|greg],
[link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ i_wethey

No matter how much Microsoft supporters whine about how Linux and other operating systems have just as many bugs as their operating systems do, the bottom line is that the serious, gut-wrenching problems happen on Windows, not on Linux, not on Mac OS. -- [link|http://www.eweek.com/article2/0,1759,1622086,00.asp|source]
Here is an example: [link|http://www.greymagic.com/security/advisories/gm001-ie/|Executing arbitrary commands without Active Scripting or ActiveX when using Windows]

Collapse All History

zIWT meta: Which is better: - (admin) - (66) - Nov. 30, 2004, 09:02:55 PM EST

3) -NT - (mmoffitt) - Nov. 30, 2004, 02:43:44 PM EST

1) - (jb4) - (3) - Nov. 30, 2004, 02:50:26 PM EST

Not for long, at least... -NT - (admin) - (2) - Nov. 30, 2004, 02:51:30 PM EST

Is that a threat?!? -NT - (jb4) - (1) - Nov. 30, 2004, 05:27:37 PM EST

You should know by now... - (admin) - Nov. 30, 2004, 05:31:06 PM EST

3, with verification - (Arkadiy) - (29) - Nov. 30, 2004, 02:52:40 PM EST

Seconded. -NT - (Yendor) - Nov. 30, 2004, 02:54:26 PM EST

NO - (FuManChu) - (27) - Nov. 30, 2004, 02:57:04 PM EST

Er, buh? - (admin) - (3) - Nov. 30, 2004, 02:58:41 PM EST

That's enough of a detriment not to warrant the risk IMO -NT - (FuManChu) - (2) - Nov. 30, 2004, 04:13:16 PM EST

? -NT - (admin) - (1) - Nov. 30, 2004, 04:16:38 PM EST

?? -NT - (drewk) - Nov. 30, 2004, 05:46:20 PM EST

Yeah - (Yendor) - (11) - Nov. 30, 2004, 03:01:36 PM EST

How is that insecure? - (FuManChu) - (2) - Nov. 30, 2004, 04:17:29 PM EST

You're unclear on this. - (admin) - (1) - Nov. 30, 2004, 04:18:26 PM EST

See below. -NT - (FuManChu) - Nov. 30, 2004, 04:22:21 PM EST

You only need one field labeled "Hint" - (tuberculosis) - (7) - Aug. 21, 2007, 06:13:52 AM EDT

Sure... - (Yendor) - (6) - Dec. 1, 2004, 02:06:55 PM EST

Bah. - (admin) - Dec. 1, 2004, 02:10:59 PM EST

Not quite - (FuManChu) - (4) - Dec. 1, 2004, 04:35:59 PM EST

And my point is... - (Yendor) - (3) - Dec. 1, 2004, 08:03:26 PM EST

I have a standard formula I use for passwords. - (folkert) - (2) - Dec. 1, 2004, 10:20:06 PM EST

I also have a standard formula - (daemon) - (1) - Dec. 1, 2004, 10:40:44 PM EST

Ding, Ding, Ding. - (folkert) - Dec. 1, 2004, 11:06:54 PM EST

It's only insecure if the user is allowed to proceed - (imric) - (10) - Nov. 30, 2004, 03:13:54 PM EST

Bah. Risk is the issue. - (FuManChu) - (9) - Nov. 30, 2004, 04:22:03 PM EST

So what's YOUR suggestion? -NT - (admin) - (4) - Nov. 30, 2004, 04:23:51 PM EST

Unfortunately for you #1 ;) - (FuManChu) - (3) - Nov. 30, 2004, 04:39:05 PM EST

WTF? - (admin) - (2) - Nov. 30, 2004, 04:41:00 PM EST

Sorry. You're right. I didn't read carefully. - (FuManChu) - (1) - Nov. 30, 2004, 04:44:04 PM EST

So how does that change your answer? - (admin) - Nov. 30, 2004, 04:48:36 PM EST

Same risk than we have now during login. - (imric) - (2) - Nov. 30, 2004, 04:30:48 PM EST

Same outcome, different risk--the attack surface has doubled -NT - (FuManChu) - Nov. 30, 2004, 04:37:17 PM EST

Not mine. - (CRConrad) - Dec. 1, 2004, 02:33:03 AM EST

Can we please weight the risks - (Arkadiy) - Dec. 1, 2004, 02:04:43 PM EST

3) with some safeguards? - (Another Scott) - Nov. 30, 2004, 02:55:35 PM EST

4) WikiWay: everything wide open ... muuuaaaahahahahahaha -NT - (drewk) - (1) - Nov. 30, 2004, 03:29:24 PM EST

Shaddap wid' yer shaddin' ap... -NT - (admin) - Nov. 30, 2004, 03:30:31 PM EST

3 with a "what is your dog's name?" thingie -NT - (Silverlock) - Nov. 30, 2004, 03:44:54 PM EST

I'll join Ark, Scott(2), Don(Silverback), and YendorMike: 3+ - (CRConrad) - (2) - Nov. 30, 2004, 04:07:55 PM EST

<raises hand> on that last bit. :-) -NT - (Another Scott) - Nov. 30, 2004, 04:12:16 PM EST

Aye - 3) with - (imric) - Nov. 30, 2004, 04:24:18 PM EST

Another few options: - (admin) - (9) - Nov. 30, 2004, 04:50:29 PM EST

I'd rather not vote on solutions until we discuss risks - (FuManChu) - (8) - Nov. 30, 2004, 05:43:54 PM EST

Re: I'd rather not vote on solutions until we discuss risks - (admin) - (7) - Nov. 30, 2004, 05:53:17 PM EST

Okay, start with costs of current proposals - (FuManChu) - (3) - Nov. 30, 2004, 07:39:31 PM EST

Missed the point. :-) - (admin) - (2) - Nov. 30, 2004, 08:53:54 PM EST

Understood, but you're use case #1 - (FuManChu) - (1) - Nov. 30, 2004, 10:29:59 PM EST

I can do private keys... - (folkert) - Nov. 30, 2004, 10:40:15 PM EST

What do you want the software to do? - (Another Scott) - (2) - Nov. 30, 2004, 09:10:22 PM EST

Nope, wrong - (drewk) - (1) - Nov. 30, 2004, 09:35:34 PM EST

Yes, a *good* challenge question would be needed. - (Another Scott) - Nov. 30, 2004, 11:26:03 PM EST

how about 4, the way we do it now - (daemon) - (3) - Nov. 30, 2004, 05:18:15 PM EST

Which is? - (Another Scott) - Nov. 30, 2004, 05:21:17 PM EST

And what would that be? - (admin) - (1) - Nov. 30, 2004, 05:21:46 PM EST

the way it works now - (daemon) - Nov. 30, 2004, 05:34:53 PM EST

How about 5... - (jb4) - Nov. 30, 2004, 05:32:45 PM EST

16) Storing them encrypted with a "reset my password" featur - (folkert) - Nov. 30, 2004, 06:38:09 PM EST

A variation on 2) - (altmann) - Nov. 30, 2004, 07:36:03 PM EST

3), with a question 1st. -NT - (broomberg) - Nov. 30, 2004, 08:03:43 PM EST

3 with a proviso - (ChrisR) - (1) - Nov. 30, 2004, 08:23:21 PM EST

I like that! -NT - (Arkadiy) - Dec. 1, 2004, 02:10:44 PM EST

3. Puts the onus of keeping valid email address on user. -NT - (a6l6e6x) - Nov. 30, 2004, 09:08:12 PM EST

3 -NT - (pwhysall) - Dec. 1, 2004, 07:52:52 AM EST

6. - (static) - Dec. 5, 2004, 08:45:34 PM EST

"zIWT meta: Which is better:" Voting/Ratification (new thread) - (folkert) - Dec. 5, 2004, 09:59:30 PM EST

iwethey.org

I signed a contract that said so.
64 ms