On Fri, Sep 17, 2010 at 2:29 PM, silky wrote:
[...]
> > From there it seems that we can conclude what we thought initially: do
> > not send back .net exceptions for cryptography errors (always
> > something generic like "invalid username/password combination").
> >
> > Also, a general throttling
On 17 September 2010 17:15, Samuel Lai wrote:
>
>
> Sent from my iPhone
>
> On 17/09/2010, at 4:28 PM, mike smith wrote:
>
> On 17 September 2010 14:24, silky <
> michaelsli...@gmail.com> wrote:
>
>> On Tue, Sep 14, 2010 at 10:26 AM, silky <
>> michaelsli...@gmail.com> wrote:
>>
>> [...]
>>
>>
On Fri, Sep 17, 2010 at 6:04 PM, Ken Schaefer wrote:
[...]
> > Agreed, I mean I don't want to start a whole thread here or
> > miscelaneous security advice, but I do hope people realise that
> > the correct pattern is to generate an access token (that only allows
> > password reset), send that,
-Original Message-
From: ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.com] On
Behalf Of silky
Subject: Password Reset, was Re: 'Padding Oracle' Crypto Attack Affects
Millions of ASP.NET Apps
>> Personally, I'll settle for never seeing my current password being
>> sent
On Fri, Sep 17, 2010 at 5:15 PM, Samuel Lai wrote:
[...]
> > And if you have a "forgot password" don't say whether the email address you
> > enter succeeds or fails. So many fail at this step.
>
> That isn't very practical though. How long should the user be expected to
> wait for the password
Sent from my iPhone
On 17/09/2010, at 4:28 PM, mike smith wrote:
> On 17 September 2010 14:24, silky wrote:
> On Tue, Sep 14, 2010 at 10:26 AM, silky wrote:
>
> [...]
>
> >> The cookie might have the hashed result of an SSN. Shouldn't, but might.
> >
> > I don't think it's hashing that is