On Fri, Sep 17, 2010 at 5:15 PM, Samuel Lai <[email protected]> wrote:

[...]

> > And if you have a "forgot password" don't say whether the email address you
> > enter succeeds or fails.  So many fail at this step.
>
> That isn't very practical though. How long should the user be expected to
> wait for the password reset email to arrive? I often can't remember if I
> have registered on a website, particularly if it was only to get access to
> something.

I tend to agree, I have many email accounts, and rarely remember what
I used where.

Amusingly, you could perhaps, if you were so inclined, show the image
that gravatar would generate for the email address that you've
retrieved. Conveys less information to the random password resetter,
but more information to the actual account holder.


> Also, what happens when a user tries to register with an email address that
> has already been used? System error?

Registration typically requires the solution of a CAPTCHA, forgot
password doesn't (potentially it should), but anyway, that's an aside.

The best approach to the attack meski is implying (harvesting emails)
is just to slow down the process dramatically. It doesn't affect
single users, but affects people trying to brute-force information
from your site.


> Personally, I'll settle for never seeing my current password being sent to
> me in clear text again for whatever reason. Mailman, I'm looking at you,
> among others.

Agreed, I mean I don't want to start a whole thread here or
miscelaneous security advice, but I do hope people realise that the
correct pattern is to generate an access token (that only allows
password reset), send that, allow only one login using it, and force
the user to come up with a new password. You should never send the
existing password (indeed, you should never even have it, it should be
hashed and salted).

-- 
silky

http://dnoondt.wordpress.com/

"Every morning when I wake up, I experience an exquisite joy — the joy
of being this signature."

Reply via email to