On Feb 20, 2006, at 2:16 PM, Eric Wilhelm wrote:
# from Erik Hollensbe
# on Monday 20 February 2006 02:07 pm:
There's no temporary password. The user is allowed to change it
themselves (over SSL, where the cookie is sent and received), and it
never ends up in the email.
(a+c).hashed == temporary_password
If we hold one piece in the browser and send another via e-mail, it is
as susceptible to attack as a simple string over e-mail because the
easiest attack is for the attacker to use his own browser to request
the reset and simply snag the bits of your e-mail out of the tcp
traffic.
Ah, crap.. Good point.
--
Erik Hollensbe
[EMAIL PROTECTED]
_______________________________________________
PDXRuby mailing list
[email protected]
IRC: #pdx.rb on irc.freenode.net
http://lists.pdxruby.org/mailman/listinfo/pdxruby
