On Fri, Sep 17, 2010 at 5:15 PM, Samuel Lai <[email protected]> wrote:
[...] > > And if you have a "forgot password" don't say whether the email address you > > enter succeeds or fails. So many fail at this step. > > That isn't very practical though. How long should the user be expected to > wait for the password reset email to arrive? I often can't remember if I > have registered on a website, particularly if it was only to get access to > something. I tend to agree, I have many email accounts, and rarely remember what I used where. Amusingly, you could perhaps, if you were so inclined, show the image that gravatar would generate for the email address that you've retrieved. Conveys less information to the random password resetter, but more information to the actual account holder. > Also, what happens when a user tries to register with an email address that > has already been used? System error? Registration typically requires the solution of a CAPTCHA, forgot password doesn't (potentially it should), but anyway, that's an aside. The best approach to the attack meski is implying (harvesting emails) is just to slow down the process dramatically. It doesn't affect single users, but affects people trying to brute-force information from your site. > Personally, I'll settle for never seeing my current password being sent to > me in clear text again for whatever reason. Mailman, I'm looking at you, > among others. Agreed, I mean I don't want to start a whole thread here or miscelaneous security advice, but I do hope people realise that the correct pattern is to generate an access token (that only allows password reset), send that, allow only one login using it, and force the user to come up with a new password. You should never send the existing password (indeed, you should never even have it, it should be hashed and salted). -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
