# from Erik Hollensbe
# on Monday 20 February 2006 12:27 pm:
>While the likelihood of catching email is rather unlikely (unless the
> web server or client is compromised,
Or there is a packet sniffer anywhere between.
>1) User requests password reset
>2) 3 unique, random values are generated, a, b, and c, which are
>stored local to the webserver
>3) A cookie is set on the browser with a+b hashed, with a timeout
>4) special url is emailed to the user with a+c hashed used for
>confirmation
>5) user clicks url
>6) a+c is checked, hash of a+b is generated
>7) a+b is validated against cookie
>8) if we're here, user is allowed to change password.
This does make it harder to write a bot which breaks into the site, but
doesn't add much security beyond the random password implementation
that's already there. True, this prevents the case where _you_ request
a reset and a lurking, patient attacker with a packet sniffer could
grab the (cleartext) temporary password and get to the site before you,
but IMO that is not worth the extra effort for that little slice of
security when a lazier attacker with that same packet sniffer could
request a reset of your account and perform all of this while you
sleep. Smart crackers choose to attack in the second way, since that
requires the same tools and knowledge but not as much patience.
Email is inherently insecure and the only way to secure it is
encryption.
Another hole with my current implementation is that it can effectively
act as a spambot backend for some malicious webbot. Sure, a direct
spambot would be more cpu efficient, but that's premature optimization
when you consider that blacklisting the site's mailbot means you don't
get event notifications. Thus, we need some way to disable or limit
this, preferably at the option of the user.
# from Erik Hollensbe
# on Monday 20 February 2006 12:52 pm:
>it seems after I posted this
>you guys had decided on an implementation.
Well, I decided and implemented something on Sunday, so technically
before you posted it and before we really had much discussion. I
wouldn't ever say that anything with the site is set in stone though,
so feel free to hack and heckle.
--Eric
--
"Insert random misquote here"
---------------------------------------------------
http://scratchcomputing.com
---------------------------------------------------
_______________________________________________
PDXRuby mailing list
[email protected]
IRC: #pdx.rb on irc.freenode.net
http://lists.pdxruby.org/mailman/listinfo/pdxruby
