That being a viable security hole assumes that either: 1. That anyone can visit the signup page, not just contacts whose email addresses you have on file (authenticated via the email signup link). or 2. That your legitimate contacts stand to gain by impersonating another user, when they already have access to the data. and 3. That the userbase is large enough that collisions are somewhat likely. and 4. That allowing duplicate PINs, and just picking 1 user to log them on in the event they lose their cookie is detrimental.
--MB > -----Original Message----- > From: Discussion of advanced .NET topics. [mailto:ADVANCED- > [EMAIL PROTECTED] On Behalf Of Peter Ritchie > Sent: Thursday, January 03, 2008 6:56 PM > To: ADVANCED-DOTNET@DISCUSS.DEVELOP.COM > Subject: Re: [ADVANCED-DOTNET] non authenticated security > > Not to mention the use case where a new user signing up types in an > already in use PIN and is informed "That PIN is in use, please choose > another"... > > ...assumes you only need a PIN to log in... > > On Thu, 3 Jan 2008 13:29:22 -0800, Greg Young <[EMAIL PROTECTED]> > wrote: > > >Wow that sounds like a really bad idea (the searching of the pin). > >Let's try attacking it, I delete my cookie go to the site and enter a > >pin (either I get in or I don't :)) > > > >Let's assume a small user base of 1000 users ... still a 10% chance > >per try (those add up quick :)) > > =================================== > This list is hosted by DevelopMentor(r) http://www.develop.com > > View archives and manage your subscription(s) at > http://discuss.develop.com =================================== This list is hosted by DevelopMentorĀ® http://www.develop.com View archives and manage your subscription(s) at http://discuss.develop.com
