[Owasp-cert] [WEB SECURITY] quick question on password reset 'best practices'

Matthew Chalmers matthew.chalmers at owasp.org
Fri Jul 25 16:11:20 EDT 2008


Fyi I'm cross-posting this to OWASP-Cert since we've been discussing
non-US-centric topics...

Matt
On Fri, Jun 6, 2008 at 9:17 AM, Martin O'Neal <martin.oneal at corsaire.com>
wrote:

>
> > Not gonna happen. So many systems are already
> > built based upon this identifier (plus many more
> > coming online) and not going to change anytime
> > soon. Better to work around the practice and see
> > if we can make it secure rather than trying to
> > fight an uphill battle changing peoples hearts
> > and minds.
>
> LOL.  Until the pre-authentication information stops being both public
> and sensitive it will never be secure; all you can do is tinker at the
> edges.
>
> As an aside, the move away from email-address usernames is a necessity
> for some.  In the UK we have the data protection act (DPA), and the
> Durant [1] test case effectively made an email address in itself
> personal identifying information.
>
> Martin...
>
>
> [1]
> http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_
> specialist_guides/the_durant_case_and_its_impact_on_the_interpretation_o
> f_the_data_protection_act.pdf
>
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-cert/attachments/20080725/d718c640/attachment.html 


More information about the Owasp-cert mailing list