[OWASP-ESAPI] IAuthenticator

[andy.gocke at owasp.org]

I remember seeing something about secret questions on Schneier's blog and
I think I agree.
The link is
http://www.schneier.com/blog/archives/2005/02/the_curse_of_th.html .

I'm not sure I have a better solution though. Personally, I'm
uncomfortable with any site
with password lists (prefer hashing functions), which leaves email reset
as an option.
The upside is that the user would already have to have write access to the
application in order to redirect the email
(or have hacked into the user's email), but the downside is that if the
user changes email or loses access to their email
things get much more complicated.

Just my 2 cents.

Thanks,
Andy Gocke

> Hi Jim,
>
>> We could add
>> IUser createUser(String accountName, String password1, String
password2,
>> Map questionAnswerMap) throws AuthenticationException;
>
> I think we should do something to support forgotten passwords, but I'm
not
> sure the secret question approach is very good.  I guess in the absence
of
> a
> clear best approach, I had planned to let people innovate their own
solutions.  But providing support for this is something we should
consider.
> Anyone feel strongly about this?
>
>> On a similar note - I assume you expect the caller of createUser
function to hash the password before hitting it.  Perhaps with a little
inheritance we could force that - or at least add a little Javadoc at
>
> Actually, the createUser() method does expect plaintext - basically exactly
> what you'd get from the change password form (username, password1,
password2).  This calls the User() constructor, which does the hashing
automatically.  I'd rather not rely on developers to do this hashing
properly.
>
> --Jeff
>
>
>
> _______________________________________________
> OWASP-ESAPI mailing list
> OWASP-ESAPI at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-esapi
>