[WEB SECURITY] quick question on password reset 'best practices'

Martin O'Neal martin.oneal at corsaire.com
Fri Jun 6 10:17:47 EDT 2008


> Not gonna happen. So many systems are already 
> built based upon this identifier (plus many more 
> coming online) and not going to change anytime 
> soon. Better to work around the practice and see 
> if we can make it secure rather than trying to 
> fight an uphill battle changing peoples hearts 
> and minds.

LOL.  Until the pre-authentication information stops being both public
and sensitive it will never be secure; all you can do is tinker at the
edges.

As an aside, the move away from email-address usernames is a necessity
for some.  In the UK we have the data protection act (DPA), and the
Durant [1] test case effectively made an email address in itself
personal identifying information.

Martin...


[1]
http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_
specialist_guides/the_durant_case_and_its_impact_on_the_interpretation_o
f_the_data_protection_act.pdf 

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list