On 24 Aug 2009, at 05:27, Corn Walker wrote:
[snip]
One way to address this without compromising security is to send an
email with the error report to the non-registered address instead of
displaying the error on the web page. In this way the user still
receives valuable feedback (with a link back to site registration if
appropriate) while automated bots are unable to ascertain whether
the address was valid or not.
[snip]
The case where this falls down for the customer is if they mistype the
e-mail address rather than giving the incorrect one... but I agree it
is one solution.
You should also throttle the "forgot password" function to avoid it
being abused. For example, after five attempts the ability to reset
a lost password is unavailable for five minutes.
Absolutely. This is a far better solution for folk.
Although it can be tricky in some circumstances (e.g. when you have
many users apparently coming to your site from one IP address
throttling one bad user can block access to many.)
Other solutions include things like security questions, etc. to allow
you to authenticate users without having to ask for their e-mail
address again. Or asking for alternate info that might be more
familiar for them on that particular site (e.g. the username as
opposed to the e-mail address). Or showing the user the e-mail address
again on the confirmation page with some appropriately direct text on
why this has to be correct.
If it were me - I'd be talking with whoever mandated changing the
current system first. I'd be trying to figure out what the relative
risk is to the business and the customer - which should hopefully
lead me to an appropriate solution.
Yes - the current mechanism does offer a certain kind of security
risk. Whether that risk is worth making it harder for the user to do
certain tasks depends on how much damage a malicious user could cause
you and your customers. If it's stopping them getting access to a bank
account it probably is. If it's changing their newsletter subscription
it probably isn't.
Cheers,
Adrian
--
http://quietstars.com - twitter.com/adrianh - delicious.com/adrianh
________________________________________________________________
Welcome to the Interaction Design Association (IxDA)!
To post to this list ....... [email protected]
Unsubscribe ................ http://www.ixda.org/unsubscribe
List Guidelines ............ http://www.ixda.org/guidelines
List Help .................. http://www.ixda.org/help
