[WEB SECURITY] quick question on password reset 'best practices'

Martin O'Neal martin.oneal at corsaire.com
Wed Jun 4 12:52:45 EDT 2008

> This is clever and would be fun to test out. Would anyone on the

I don't want to always be the curmudgeonly old-fart, but the level of
gain in some of this engineering may be way less than the work required
to implement it, then tune it to a point where it works satisfactorily
in all circumstances.  An example of a situation where a minimal delay
added to a response could quickly lose value is resource exhaustion; all
the attacker has to do is to make the response time disproportionate to
the arbitrary delay.  The process may work as expected when you have
single requests, but as soon as you fire 100 in parallel the backend
process gets delayed and is back leaking timing information again.

A better approach would be to solve the root issue; make the
pre-authentication information as benign as possible, and get away from
the use of public information as user identifiers (like email


Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list