[WEB SECURITY] Password Reset

James Manico jim at manico.net
Sat May 29 16:42:04 EDT 2010


> > Passwords are here to stay for a long, long time I suspect.

No way. Within ten years your cellphone will serve as a key part of
multi-factor authentication for most sites. Wanna bet? Williams,
myself and a few others have a ten year bet underway - you want in?

Jim Manico

On May 29, 2010, at 1:07 PM, "Arian J. Evans" <arian.evans at anachronic.com
 > wrote:

> Schneier??? You're joking, right? You'd be hard pressed to find
> someone more out of touch with modern web security, that is still
> considered a "quotable" security expert. Let alone Bruce appears to
> have zero successful experience in the web business world.
>
> I think if Schneier recommends a difficult process - that is a strong
> vote for not doing it in the name of good business sense.
>
> I mean - read the article. It's all about Bruce, not about business.
> Like most of his ramblings.
>
> <quote>"Passwords have reached the end of their useful life. Today,
> they only work for low-security applications. The secret question is
> just one manifestation of that fact."</cliche>
>
> Those sort of absolutist statements makes for good bombastic
> blogging....but it doesn't change the fact that 5 years later he's
> still dead wrong.
>
> ciao
>
> ---
> Arian Evans
>
>
>
> On Fri, May 28, 2010 at 11:40 PM, Bil Corry <bil at corry.biz> wrote:
>> Jim Manico wrote on 5/28/2010 2:12 PM:
>>>>  If there's already a process in place to handle accounts that are
>>> locked out, why not just leverage that process to reset the account?
>>>
>>> Cause that process is call center based. An automated process would
>>> reduce that call volume. So far, most proposals are less secure
>>> than the
>>> actual authentication layer.
>>
>> FWIW, Schneier argues that password resets should work just like
>> that: a difficult process for the very reason you mentioned:
>>
>>        http://www.schneier.com/blog/archives/2005/02/the_curse_of_th.html
>>
>> You might find this paper interesting:
>>
>>        http://www.guanotronic.com/~serge/papers/oakland09.pdf
>>
>>
>> - Bil
>>
>> ---
>> ---
>> ---
>> -------------------------------------------------------------------
>> Join us on IRC: irc.freenode.net #webappsec
>>
>> Have a question? Search The Web Security Mailing List Archives:
>> http://www.webappsec.org/lists/websecurity/archive/
>>
>> Subscribe via RSS:
>> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>>
>> Join WASC on LinkedIn
>> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>
>>

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list