Date: Wed, 21 Sep 2016 10:53:14 +0200 From: Per Thorsheim <per@...rsheim.net> To: passwords@...ts.openwall.com Subject: Re: Blog Post about Password Resets Den 20.09.2016 21.39, skrev Scott Arciszewski: > Hello, > > I'll not make a regular habit of doing this, but I thought this blog > post might be of interest to the readers of this mailing list: > > https://paragonie.com/blog/2016/09/untangling-forget-me-knot-secure-account-recovery-made-simple > > It discusses the common design flaws with password reset features and > proposes how to implement them securely. There's a TL;DR at the end. > > I'd greatly appreciate any feedback or criticism anyone can offer. > > Scott Arciszewski > Chief Development Officer > Paragon Initiative Enterprises <https://paragonie.com> <top or bottom quoting - that's the eternal question!> Ok, I really like your split-token idea. Bonus points for applying constant-time to remove a potential timing leak. Agree with Evan Johnson https://twitter.com/ejcx_/status/778434248197808128 that opt in password reset is NOT something you would do by default, but as opt out I say "yes please!". With proper explanations of what it actually means for your security. patpro https://twitter.com/p4tpr0/status/778505844459708416 also has a point on the odds of SQLi into tokenDB vs email account takeover. My take is that if your split-token idea can easily (cost/time) be implemented, and chances of FUBAR by junior.devs are small, I say its a quickwin. Something to add for the OWASP pwd reset cheat sheet as soon as this list is done debating and attacking your proposal? -- Best regards, Per Thorsheim CISA, CISM, CISSP, ISSAP Founder of PasswordsCon.org Phone: +47 90 99 92 59 (Use Signal!) Twitter: @thorsheim
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.