in reply to Re^3: It's Time for Everyone to Change Passwords!
in thread It's Time for Everyone to Change Passwords!
If a password reset ability is provided to unauthenticated users (those who have forgotten their passwords can't authenticate) this function can be abused to interfere with legitimate access. Any unauthenticated user can request a password reset for any other user, as long as they know whatever is used to specify the account (typically a login ID or email address).Who said anything about a reset? You have a form you can surf to, to say "Hey, I'm merlyn, I forgot my password". It emails you a link with a strong crypto key that when you visit that link, you're *logged in* to a password reset form.
Thus, any number of invocations of that page would not affect me if I was continuing to already know my password.
Most sites get this wrong. {sigh}
You'd think common password patterns would be already firmly tested and entrenched in every webdevs mind, after, say, a decade and a half of the web? I guess not.
-- Randal L. Schwartz, Perl hacker
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.
|
---|
Replies are listed 'Best First'. | |
---|---|
Re^5: It's Time for Everyone to Change Passwords!
by ig (Vicar) on Jul 30, 2009 at 05:01 UTC |
In Section
Perl Monks Discussion