Penetration Testing mailing list archives
Re: pen testing https portal?
From: "Nathan Keltner" <shiftnato () gmail com>
Date: Fri, 8 Sep 2006 09:58:25 -0500
Is the 1st pin ('1234') static? I.e., does it change into '0192', requiring the user to write down their current PIN after every login? I'm guessing that's not the case b/c of the difficulties users would have with such a system. So, assuming '1234' is your PIN all the time, and the temporary '0192' changes each login, you're effectively using '1234' as the password every time. The '0192' is irrelevant from a security perspective, and probably an unneeded burden on your users. It doesn't buy you any more security that I can see, other than requiring two passwords ('1234' and 'password'). It is not two-factor or a similar solution. On 7 Sep 2006 20:44:39 -0000, mismail () postmaster co uk <mismail () postmaster co uk> wrote:
has any ever tested a https portal? basically i have a client who has constructed a https portal to all works logon on from anywhere and access apps and files. how it works is the username and pw are the users AD logon details, the pin is emailed to the user, so for example when the user logs on he has a button saying generate pin! now say for example he has a pin of 1234 when hits generate pin a picture comes up like this 1234567890 0192837465 so the user find his 1st number in his pin, and types the number below it, same with 234 and enters that into the pin field: username: bloggs pw: password pin: 0192 the pin is one time unique! has anyone ever come across a setup like this? sorry for the long post! hope you can help! ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php ------------------------------------------------------------------------
On 7 Sep 2006 20:44:39 -0000, mismail () postmaster co uk <mismail () postmaster co uk> wrote:
has any ever tested a https portal? basically i have a client who has constructed a https portal to all works logon on from anywhere and access apps and files. how it works is the username and pw are the users AD logon details, the pin is emailed to the user, so for example when the user logs on he has a button saying generate pin! now say for example he has a pin of 1234 when hits generate pin a picture comes up like this 1234567890 0192837465 so the user find his 1st number in his pin, and types the number below it, same with 234 and enters that into the pin field: username: bloggs pw: password pin: 0192 the pin is one time unique! has anyone ever come across a setup like this? sorry for the long post! hope you can help! ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php ------------------------------------------------------------------------
------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php ------------------------------------------------------------------------
Current thread:
- pen testing https portal? mismail (Sep 07)
- Re: pen testing https portal? Nathan Keltner (Sep 08)
- Re: pen testing https portal? Paolo Scarabelli (Sep 10)
- <Possible follow-ups>
- RE: pen testing https portal? Nick Besant (Sep 08)
- Re: Re: pen testing https portal? mismail (Sep 10)
- Re: pen testing https portal? Richard Braganza (Sep 11)
- Re: pen testing https portal? Nathan Keltner (Sep 08)