# from Erik Hollensbe
# on Monday 20 February 2006 02:07 pm:
>There's no temporary password. The user is allowed to change it
>themselves (over SSL, where the cookie is sent and received), and it
>never ends up in the email.
(a+c).hashed == temporary_password
If we hold one piece in the browser and send another via e-mail, it is
as susceptible to attack as a simple string over e-mail because the
easiest attack is for the attacker to use his own browser to request
the reset and simply snag the bits of your e-mail out of the tcp
traffic.
--Eric
--
Like a lot of people, I was mathematically abused as a child.
--Paul Graham
---------------------------------------------------
http://scratchcomputing.com
---------------------------------------------------
_______________________________________________
PDXRuby mailing list
[email protected]
IRC: #pdx.rb on irc.freenode.net
http://lists.pdxruby.org/mailman/listinfo/pdxruby
