|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Kevin Spett (kspett_at_spidynamics.com)
Date: Fri Oct 18 2002 - 14:52:15 CDT
> Try the transport of the email itself is plaintext and in theory hijacking
is possible. Perhaps
> tie the id to the ip addy of the person requesting it so that only the
person requesting the password
> can view this link that times out after 1 use.
IP-based solutions have many problems because of NAT, user mobility, etc.
that have been discussed on this list before so I'm nto going to rehash
them. If an attacker has compromised a mailserver and knows a user has an
account with a website, requesting a new password via email would make a lot
of sense. Verification with other personal information is the way to go.
Kevin Spett
SPI Labs
http://www.spidynamics.com/
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]