[WEB SECURITY] quick question on password reset 'best practices'

Martin O'Neal martin.oneal at corsaire.com
Fri Jun 6 10:17:47 EDT 2008

> Not gonna happen. So many systems are already 
> built based upon this identifier (plus many more 
> coming online) and not going to change anytime 
> soon. Better to work around the practice and see 
> if we can make it secure rather than trying to 
> fight an uphill battle changing peoples hearts 
> and minds.

LOL.  Until the pre-authentication information stops being both public
and sensitive it will never be secure; all you can do is tinker at the

As an aside, the move away from email-address usernames is a necessity
for some.  In the UK we have the data protection act (DPA), and the
Durant [1] test case effectively made an email address in itself
personal identifying information.



Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list