asking the user to remember this (and write it down if needed). Then ask for
that when the user enters his new password. It's easier than coming up with
something yourself which will be something close to the person in question
most of the time anyways (like wife's name, first child, the dog etc).
Jesse
-----Original Message-----
From: "Matt Robertson" <[EMAIL PROTECTED]>
To: CF-Talk <[EMAIL PROTECTED]>
Date: Mon, 5 Jan 2004 07:59:15 -0800
Subject: RE: Password Logic
Mauricio's system is definitely a cut above many others, but as was
pointed out it has a weakness. The email goes to a unique address, but
you can't gaurantee the recipient is the actual user. You need to
authenticate the person and not the address to take this a step further.
I use the same system Mauricio describes, but I add in a hint/answer
supplied by the user. User writes the question out him/herself, and
supplies the case-sensitive answer. In addition to the two password
fields on the change screen, the user has to answer the question
correctly (its up to the user to pick a q/a only they know and can
figure out... Another failure point but I can't see a way to strengthen
it).
When a user requests a new password, the admin gets an email (almost
always worthless, but on one occasion did alert me to a hack attempt).
If a user retries more than X times, I lock them out for the duration of
their session. Keeps out automated attacks and resets itself so the
admin doesn't get bothered too much.
I never send passwords. If a user fails the self-service system then I
tell them to run the change password routine. If they forget their
hint/answer and can be real-world authenticated then I wipe the
hint/answer and then make them change their password via the automated
system, which upon seeing no hint/answer will demand a new one.
The hint is encrypted, the answer is a salted hash.
Salted hash: Do the passwords like that as well. Adding salt prevents
two hashes from being unique no matter what, and kills dictionary
attacks (I still run proposed passwords thru a dictionary filter, just
to be mean).
Google 'salted hash' and read the MSDN Security Brief that should be the
#2 response. In addition to explaining the concept it has some
excellent free word-list dictionary sources in it, in mnay languages.
--------------------------------------------
Matt Robertson [EMAIL PROTECTED]
MSB Designs, Inc. http://mysecretbase.com
--------------------------------------------
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
