Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 21 Sep 2016 10:53:14 +0200
From: Per Thorsheim <>
Subject: Re: Blog Post about Password Resets

Den 20.09.2016 21.39, skrev Scott Arciszewski:
> Hello,
> I'll not make a regular habit of doing this, but I thought this blog
> post might be of interest to the readers of this mailing list:
> It discusses the common design flaws with password reset features and
> proposes how to implement them securely. There's a TL;DR at the end.
> I'd greatly appreciate any feedback or criticism anyone can offer.
> Scott Arciszewski
> Chief Development Officer
> Paragon Initiative Enterprises <>

<top or bottom quoting - that's the eternal question!>

Ok, I really like your split-token idea. Bonus points for applying
constant-time to remove a potential timing leak.

Agree with Evan Johnson that opt in password
reset is NOT something you would do by default, but as opt out I say
"yes please!". With proper explanations of what it actually means for
your security.

patpro also has a
point on the odds of SQLi into tokenDB vs email account takeover. My
take is that if your split-token idea can easily (cost/time) be
implemented, and chances of FUBAR by junior.devs are small, I say its a

Something to add for the OWASP pwd reset cheat sheet as soon as this
list is done debating and attacking your proposal?

Best regards,
Per Thorsheim
Founder of
Phone: +47 90 99 92 59 (Use Signal!)
Twitter: @thorsheim

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ