[thelist] hashing stored passwords (revisited)

Ken Schaefer ken at adOpenStatic.com
Thu Jun 26 01:07:13 CDT 2003


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From: "Gary McPherson" <genyus at ingenyus.net>
Subject: RE: [thelist] hashing stored passwords (revisited)


:  As I am generating random passwords sent via email
: (to validate their email adresses) and forcing them to reset
: on first login, I could simply repeat the process for forgotten
: passwords.
:
: Unless anyone can think of a good reason not to?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

It really depends on what you're trying to protect. If I have access to the
user's mailbox, but not the password in question, then I could initiate a
password reset, and get access to the new, random, password. I wouldn't be
able to do that with a "challenge question: secret answer" type system.

I'm pretty sure I've written this before: Authentication depends on
something the user has (eg smartcard) or something user knows (eg password)
or a combination of both (eg ATM card + PIN). If you rely on "something the
user knows" and they forget it, then setting things up again is a problem.

You need some alternate way of authenticating the user. You might rely on
the fact that only the user should have access to their mailbox. Or you
might force them to come up to the IT Helpdesk and have a support person
reset their password.

Secrets and Lies: Digital Security in a Networked World, by Bruce Schneier
is worth reading (4 1/2 stars at amazon.com)

Cheers
Ken



More information about the thelist mailing list