Educause Security Discussion mailing list archives
Re: Self-service password reset approaches
From: Chris Edwards <chris () ENG GLA AC UK>
Date: Fri, 17 Feb 2012 12:19:18 +0000
On Tue, 14 Feb 2012, Kevin Shalla wrote: | If the account is compromised and the villain changed the password so | the account owner cannot log in, then we may lock the account if we | think it's really been compromised, but require the owner to come in to | get a new password Right. | (or if the owner had already set up a backup e-mail, then the person can | reset the password by using a link sent to that backup e-mail account). How do you know the hacker hasn't changed the backup email address to one they control ?? It seems to me the "password reset link sent to backup email" plan is fine if the user forgets their password, but perhaps should not be allowed if the account is locked due to being compromised. Here, the user needs to come in, or at least, re-authenticate themselves in some way the hacker cannot tamper with. Chris -- Chris Edwards IT Security, Computing Service University of Glasgow, charity number SC004401
Current thread:
- Re: Self-service password reset approaches, (continued)
- Re: Self-service password reset approaches Steve Werby (Feb 09)
- Re: Self-service password reset approaches Theresa Rowe (Feb 14)
- Re: Self-service password reset approaches Roger A Safian (Feb 14)
- Re: Self-service password reset approaches Theresa Rowe (Feb 14)
- Re: Self-service password reset approaches Kevin Shalla (Feb 14)
- Re: Self-service password reset approaches Roger A Safian (Feb 14)
- Re: Self-service password reset approaches Kevin Shalla (Feb 14)
- Re: Self-service password reset approaches Roger A Safian (Feb 14)
- Re: Self-service password reset approaches Kevin Shalla (Feb 14)
- Re: Self-service password reset approaches Burton, Abigail F (Feb 14)
- Re: Self-service password reset approaches Theresa Rowe (Feb 14)
- Re: Self-service password reset approaches Chris Edwards (Feb 17)
- Re: Self-service password reset approaches Steve Werby (Feb 09)
- Re: Self-service password reset approaches Gary Flynn (Feb 14)
- Re: Self-service password reset approaches Roger A Safian (Feb 14)
- Re: (***POSSIBLE SPAM***) Re: [SECURITY] Self-service password reset approaches SCHALIP, MICHAEL (Feb 14)
- Re: (***POSSIBLE SPAM***) Re: [SECURITY] Self-service password reset approaches Gary Flynn (Feb 14)
- Re: (***POSSIBLE SPAM***) Re: [SECURITY] Self-service password reset approaches Mark Borrie (Feb 16)
- Re: (***POSSIBLE SPAM***) Re: [SECURITY] Self-service password reset approaches Gary Flynn (Feb 21)
- Re: Self-service password reset approaches randy marchany (Feb 14)
- Re: Self-service password reset approaches Chris Edwards (Feb 17)
- Re: Self-service password reset approaches Steve Werby (Feb 20)