Yup, hence why you send a one-time use link with a limited window of
opportunity, say 24 hours, for the user to click the link, answer the
security questions and gain access to their account.
Does every system need to do this? Hell no, you need to decide what
is the appropriate level of se
On 7/16/07, Dean H. Saxe <[EMAIL PROTECTED]> wrote:
But you still need an out of band method of contacting the user,
usually email. No email, no out of band contact method. Any method
without out of band contact is a potential way for attackers to
identify valid accounts, opening them up to bru
But you still need an out of band method of contacting the user,
usually email. No email, no out of band contact method. Any method
without out of band contact is a potential way for attackers to
identify valid accounts, opening them up to brute force password
attacks.
-dhs
Dean H. Sa
I have used AOL's OpenID or OpenAuth implementation on a project. It's
a pretty easy thing to use. I does however require the users to have
an AIM Screen Name. In my case this wasn't an issue.
LDAP is a very good option.
Another is to implement a challenge - response system using several
questio
How about setting up your own LDAP? End users would not be affected and you
can setup fields to store say favorite pet or something easily. Further you
can use accounts across applications via groups and such.
DK
On 7/13/07, Cheyenne Throckmorton <[EMAIL PROTECTED]> wrote:
Fortunately, this
Fortunately, this system access and value of the data is not terribly
important. Basically just gives them an ability to upload a word document,
which we have trouble getting those users that can login to do.
I was merely just tossing the question out there in case there were any
creative ideas
Well, seriously.
How are you going to identify the account uniquely (to the extent
that email really can do that)? Unless you have an alternative
identification system, you're really SOL.
Is there other contact information you can use to communicate with
this person? Another way to iden
Could you be more pedagogical, Dean?
On 7/13/07, Dean H. Saxe <[EMAIL PROTECTED]> wrote:
In that case, your clients are screwed.
Happy to help!
-dhs
(FWIW, Basic AuthN is HORRIBLY insecure and should be avoided at all
cost.)
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"What is objectio
In that case, your clients are screwed.
Happy to help!
-dhs
(FWIW, Basic AuthN is HORRIBLY insecure and should be avoided at all
cost.)
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"What is objectionable, what is dangerous about extremists is not
that they are extreme, but that they are
In most of our applications that we run our basic authentication is to have
them provide their email address as a username and then a password.
We store that password hashed with salt onto our databases, and have no real
way of knowing what it is. If a user forgets their password then they have
10 matches
Mail list logo
