List:General Discussion« Previous MessageNext Message »
From:Benjamin Pflugmann Date:August 11 2002 6:05pm
Subject:Re: [OT] assigning new passwords (was: Need reversible encryption as string)
View as plain text  
Hi.

I drag this a bit to off-topic here, but the answer below brings up a
question which bothered me for some time...

On Sun 2002-08-11 at 17:30:46 +0100, mike.hall@stripped wrote:
> An easier (and more secure) way, surely, is to use one-way encryption... and
> if a user forgets his/her password, replace it with a random alphanumeric
> string and mail that to them instead with instructions to change it to one
> of their own choosing as soon as possible.

Although I always liked this idea best security-wise, it can be abused
quite easily. Whenever someone enters some account, the password for
this account will be reset (and an email send). If the email works
fine, this is only a major annoyance. If the email of the account does
not work anymore, this is a DoS "service" for that account: The
password the account owner knew has been changed and he has no
possibility to retrieve the new one. How do you prevent this?

My current solution works with the old password. Surely this has it's
drawbacks security-wise, but it can only be abused to send these
e-mails to people, for which a limit is realized.

So back to my question above. With the good-security solution, how can
I prevent the abuse mentioned?

Bye,
	
	Benjamin.

-- 
benjamin-mysql@stripped
Thread
Need reversible encryption as stringMichael Collins11 Aug
  • Re: Need reversible encryption as stringMike Hall11 Aug
    • Re: Need reversible encryption as stringMichael Collins11 Aug
    • Re: [OT] assigning new passwords (was: Need reversible encryption as string)Benjamin Pflugmann11 Aug
  • Re: Need reversible encryption as stringPaul DuBois11 Aug
    • Re: Need reversible encryption as stringBenjamin Pflugmann11 Aug
      • Re: Need reversible encryption as stringPaul DuBois11 Aug
  • Re: [OT] assigning new passwords (was: Need reversible encryption as string)Mike Hall11 Aug
    • Re: [OT] assigning new passwords (was: Need reversible encryptionas string)Joe Shear12 Aug
Re: Need reversible encryption as stringMichael Collins11 Aug