Well, seriously.
How are you going to identify the account uniquely (to the extent
that email really can do that)? Unless you have an alternative
identification system, you're really SOL.
Is there other contact information you can use to communicate with
this person? Another way to identify him or her to reset the
password? What is the value of the data? What is the value of the
data to someone else? Can you afford to reset the password for
someone who you cannot identify as the original owner of the account?
This is a serious challenge in any system which depends on an address
as an identifier that may not exist tomorrow.
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"[T]he people can always be brought to the bidding of the leaders.
This is easy. All you have to do is to tell them they are being
attacked, and denounce the pacifists for lack of patriotism and
exposing the country to danger. It works the same in every country."
--Hermann Goering, Hitler's Reich-Marshall at the Nuremberg Trials
On Jul 13, 2007, at 5:04 PM, AppDeveloper wrote:
Could you be more pedagogical, Dean?
On 7/13/07, Dean H. Saxe <[EMAIL PROTECTED]> wrote:
In that case, your clients are screwed.
Happy to help!
-dhs
(FWIW, Basic AuthN is HORRIBLY insecure and should be avoided at
all cost.)
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"What is objectionable, what is dangerous about extremists is not
that they are extreme, but that they are intolerant."
-- Robert F. Kennedy, 1964
On Jul 13, 2007, at 4:38 PM, Cheyenne Throckmorton wrote:
In most of our applications that we run our basic authentication
is to have them provide their email address as a username and then
a password.
We store that password hashed with salt onto our databases, and
have no real way of knowing what it is. If a user forgets their
password then they have the system email them a link with a URL
with a GUID variable that takes them to a page where they can
reset their password to whatever they want again, and again only
its hash is stored in our databases.
Now this is all fine and dandy, except what happens if this person
both forgets their password and changes email, say they changed
jobs and no longer have access to the old email, how do you now
authenticate this person?
Currently, we don't have any secret questions or the like set up,
but is that the only way.
Just curious on some of your ideas out there on how you do
authentication, especially in the case of changed email and
forgotten password.
Cheyenne
-------------------------------------------------------------
Annual Sponsor - Figleaf Software
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-------------------------------------------------------------
-------------------------------------------------------------
Annual Sponsor - Figleaf Software
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-------------------------------------------------------------
