On 7/16/07, Dean H. Saxe <[EMAIL PROTECTED]> wrote:
But you still need an out of band method of contacting the user,
usually email. No email, no out of band contact method. Any method
without out of band contact is a potential way for attackers to
identify valid accounts, opening them up to brute force password
attacks.
I know I'm jumping into this late here but - I've started to design
systems that encourage users to enter more than one email address so
that they can be contacted if they change one of them. Most people do
have more than one email account now, and it's pretty easy to allow a
user's account to have more than one email address associated with it.
This just means that when they login you'll have to maybe do one join
to check against all the potential email accounts they may have
associated with their account.
If they change one email, they can always try one of the others...
Linked in works this way (I think). Alot of social networking sites
are doing this to allow people to link up and find with more people.
Another way to get a new password to them is via text message on their
phone. If someone has changed all their email addresses, you may
still have a valid phone number for them. It's not free to send SMS,
but depending on the application, it's a possibility.
Another method would be via IM. There are alot of possibilities
depending on how much info you collect from your users...
OF course - either way you are going to want to have them change their
password or invalidate it within a certain timeframe in case it's
observed in one of those insecure "out of band" communication
channels.
-Cameron
--
Cameron Childress
Sumo Consulting Inc
http://www.sumoc.com
---
cell: 678.637.5072
aim: cameroncf
email: [EMAIL PROTECTED]
-------------------------------------------------------------
Annual Sponsor FigLeaf Software - http://www.figleaf.com
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
