Re: [ACFUG Discuss] Application Authentication and Security Question

Fri, 13 Jul 2007 14:04:52 -0700 

Could you be more pedagogical, Dean?

On 7/13/07, Dean H. Saxe <[EMAIL PROTECTED]> wrote:


In that case, your clients are screwed.

Happy to help!


-dhs


(FWIW, Basic AuthN is HORRIBLY insecure and should be avoided at all
cost.)





Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"What is objectionable, what is dangerous about extremists is not that
they are extreme, but that they are intolerant."
    -- Robert F. Kennedy, 1964


 On Jul 13, 2007, at 4:38 PM, Cheyenne Throckmorton wrote:

 In most of our applications that we run our basic authentication is to
have them provide their email address as a username and then a password.

We store that password hashed with salt onto our databases, and have no
real way of knowing what it is.  If a user forgets their password then they
have the system email them a link with a URL with a GUID variable that takes
them to a page where they can reset their password to whatever they want
again, and again only its hash is stored in our databases.

Now this is all fine and dandy, except what happens if this person both
forgets their password and changes email, say they changed jobs and no
longer have access to the old email, how do you now authenticate this
person?

Currently, we don't have any secret questions or the like set up, but is
that the only way.

Just curious on some of your ideas out there on how you do authentication,
especially in the case of changed email and forgotten password.

Cheyenne

-------------------------------------------------------------
Annual Sponsor - Figleaf Software <http://www.figleaf.com/>

To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform<http://www.acfug.org/?fa=login.edituserform>

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink <http://www.fusionlink.com/>
-------------------------------------------------------------







-------------------------------------------------------------
Annual Sponsor FigLeaf Software - http://www.figleaf.com


To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform


For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------























					Reply via email to