[Owasp-leaders] Another take on Passwords

Tom Brennan - OWASP tomb at owasp.org
Sat Jan 24 10:01:52 EST 2009

The "best" is debatable. Out-of-Band one time passcodes example via sms may have more value or hash generated address block authorizations

A typical monday morning dumpster dive may reveal the others or a simple call to the mark with a refinance question to capture in your example the "monthly" mortgage payment. 

The attacker does play be the rules... They just attack the logic that is weakest in the chain right... And financial web applications are not really that important to protect against massive syn/pin timing attacks and weak business logic <grin>

Any questions, give me a call at 973-202-0122

-----Original Message-----
From: "Marco M. Morana" <marco.m.morana at gmail.com>

Date: Sat, 24 Jan 2009 08:27:07 
To: <owasp-leaders at lists.owasp.org>
Subject: Re: [Owasp-leaders] Another take on Passwords

OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org

More information about the OWASP-Leaders mailing list