Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 21 Sep 2016 10:53:14 +0200
From: Per Thorsheim <per@...rsheim.net>
To: passwords@...ts.openwall.com
Subject: Re: Blog Post about Password Resets

Den 20.09.2016 21.39, skrev Scott Arciszewski:
> Hello,
> 
> I'll not make a regular habit of doing this, but I thought this blog
> post might be of interest to the readers of this mailing list:
> 
> https://paragonie.com/blog/2016/09/untangling-forget-me-knot-secure-account-recovery-made-simple
> 
> It discusses the common design flaws with password reset features and
> proposes how to implement them securely. There's a TL;DR at the end.
> 
> I'd greatly appreciate any feedback or criticism anyone can offer.
> 
> Scott Arciszewski
> Chief Development Officer
> Paragon Initiative Enterprises <https://paragonie.com>

<top or bottom quoting - that's the eternal question!>

Ok, I really like your split-token idea. Bonus points for applying
constant-time to remove a potential timing leak.

Agree with Evan Johnson
https://twitter.com/ejcx_/status/778434248197808128 that opt in password
reset is NOT something you would do by default, but as opt out I say
"yes please!". With proper explanations of what it actually means for
your security.

patpro https://twitter.com/p4tpr0/status/778505844459708416 also has a
point on the odds of SQLi into tokenDB vs email account takeover. My
take is that if your split-token idea can easily (cost/time) be
implemented, and chances of FUBAR by junior.devs are small, I say its a
quickwin.

Something to add for the OWASP pwd reset cheat sheet as soon as this
list is done debating and attacking your proposal?


-- 
Best regards,
Per Thorsheim
CISA, CISM, CISSP, ISSAP
Founder of PasswordsCon.org
Phone: +47 90 99 92 59 (Use Signal!)
Twitter: @thorsheim

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ