Yup, hence why you send a one-time use link with a limited window of
opportunity, say 24 hours, for the user to click the link, answer the
security questions and gain access to their account.
Does every system need to do this? Hell no, you need to decide what
is the appropriate level of security for your users. These are just
best practices that are well known and followed in secure systems.
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"Free speech exercised both individually and through a free press, is
a necessity in any country where people are themselves free."
-- Theodore Roosevelt, 1918
On Jul 16, 2007, at 6:39 PM, Cameron Childress wrote:
On 7/16/07, Dean H. Saxe <[EMAIL PROTECTED]> wrote:
But you still need an out of band method of contacting the user,
usually email. No email, no out of band contact method. Any method
without out of band contact is a potential way for attackers to
identify valid accounts, opening them up to brute force password
attacks.
I know I'm jumping into this late here but - I've started to design
systems that encourage users to enter more than one email address so
that they can be contacted if they change one of them. Most people do
have more than one email account now, and it's pretty easy to allow a
user's account to have more than one email address associated with it.
This just means that when they login you'll have to maybe do one join
to check against all the potential email accounts they may have
associated with their account.
If they change one email, they can always try one of the others...
Linked in works this way (I think). Alot of social networking sites
are doing this to allow people to link up and find with more people.
Another way to get a new password to them is via text message on their
phone. If someone has changed all their email addresses, you may
still have a valid phone number for them. It's not free to send SMS,
but depending on the application, it's a possibility.
Another method would be via IM. There are alot of possibilities
depending on how much info you collect from your users...
OF course - either way you are going to want to have them change their
password or invalidate it within a certain timeframe in case it's
observed in one of those insecure "out of band" communication
channels.
-Cameron
--
Cameron Childress
Sumo Consulting Inc
http://www.sumoc.com
---
cell: 678.637.5072
aim: cameroncf
email: [EMAIL PROTECTED]
-------------------------------------------------------------
Annual Sponsor FigLeaf Software - http://www.figleaf.com
To unsubscribe from this list, manage your profile @ http://
www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
-------------------------------------------------------------
Annual Sponsor FigLeaf Software - http://www.figleaf.com
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
