[WEB SECURITY] Password Reset

Arian J. Evans arian.evans at anachronic.com
Sat May 29 16:07:47 EDT 2010


Schneier??? You're joking, right? You'd be hard pressed to find
someone more out of touch with modern web security, that is still
considered a "quotable" security expert. Let alone Bruce appears to
have zero successful experience in the web business world.

I think if Schneier recommends a difficult process - that is a strong
vote for not doing it in the name of good business sense.

I mean - read the article. It's all about Bruce, not about business.
Like most of his ramblings.

<quote>"Passwords have reached the end of their useful life. Today,
they only work for low-security applications. The secret question is
just one manifestation of that fact."</cliche>

Those sort of absolutist statements makes for good bombastic
blogging....but it doesn't change the fact that 5 years later he's
still dead wrong.

Passwords are here to stay for a long, long time I suspect.

ciao

---
Arian Evans



On Fri, May 28, 2010 at 11:40 PM, Bil Corry <bil at corry.biz> wrote:
> Jim Manico wrote on 5/28/2010 2:12 PM:
>>>  If there's already a process in place to handle accounts that are
>> locked out, why not just leverage that process to reset the account?
>>
>> Cause that process is call center based. An automated process would
>> reduce that call volume. So far, most proposals are less secure than the
>> actual authentication layer.
>
> FWIW, Schneier argues that password resets should work just like that: a difficult process for the very reason you mentioned:
>
>        http://www.schneier.com/blog/archives/2005/02/the_curse_of_th.html
>
> You might find this paper interesting:
>
>        http://www.guanotronic.com/~serge/papers/oakland09.pdf
>
>
> - Bil
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list