Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 16 May 2018 19:02:08 -0400
From: "Denny O'Breham" <obreham@...il.com>
To: passwords@...ts.openwall.com
Subject: Re: Keeping old passwords

What I find funny is that while I was logging from unusual IPs and
browsers, I was able to do whatever I wanted (log off & on again).  It
is only when I returned to my usual IP and browser that I got the 'You
must change your password' message.

I understand that if they asked on the unusual locations, they could
have simply forced the 'hacker' to change my password.  Then again, if
I didn't log on for a week or a month, the hacker was free to do
whatever he wanted with my account during that time.

So what protection do I gain as a user?  Once the 'hacker' is logged
on, you're pretty much done, no?

Just sending an email to the user's recovery email to inform the user
of suspicious activities might be better.  Although, some users have
their recovery email forwarded to their gmail account ... so the
hacker will have a field day with this, just like if there was nothing
done at all.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.