Re: pen testing https portal?

["Nathan Keltner" <shiftnato () gmail com>]

Is the 1st pin ('1234') static?  I.e., does it change into '0192',
requiring the user to write down their current PIN after every login?
I'm guessing that's not the case b/c of the difficulties users would
have with such a system.

So, assuming '1234' is your PIN all the time, and the temporary '0192'
changes each login, you're effectively using '1234' as the password
every time.  The '0192' is irrelevant from a security perspective, and
probably an unneeded burden on your users.  It doesn't buy you any
more security that I can see, other than requiring two passwords
('1234' and 'password').  It is not two-factor or a similar solution.

On 7 Sep 2006 20:44:39 -0000, mismail () postmaster co uk
<mismail () postmaster co uk> wrote:
> has any ever tested a https portal?
>
>
> basically i have a client who has constructed a https portal to all works logon on from anywhere and access apps and 
> files.
>
>
> how it works is the username and pw are the users AD logon details, the pin is emailed to the user, so for example when 
> the user logs on he has a button saying generate pin!
>
>
> now say for example he has a pin of 1234 when hits generate pin a picture comes up like this
>
>
> 1234567890
>
> 0192837465
>
>
> so the user find his 1st number in his pin, and types the number below it, same with 234 and enters that into the pin 
> field:
>
>
> username: bloggs
>
> pw: password
>
> pin: 0192
>
>
> the pin is one time unique! has anyone ever come across a setup like this?
>
>
> sorry for the long post!
>
>
> hope you can help!
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
> http://www.cenzic.com/products_services/download_hailstorm.php
> ------------------------------------------------------------------------


On 7 Sep 2006 20:44:39 -0000, mismail () postmaster co uk
<mismail () postmaster co uk> wrote:
> has any ever tested a https portal?
>
>
> basically i have a client who has constructed a https portal to all works logon on from anywhere and access apps and 
> files.
>
>
> how it works is the username and pw are the users AD logon details, the pin is emailed to the user, so for example when 
> the user logs on he has a button saying generate pin!
>
>
> now say for example he has a pin of 1234 when hits generate pin a picture comes up like this
>
>
> 1234567890
>
> 0192837465
>
>
> so the user find his 1st number in his pin, and types the number below it, same with 234 and enters that into the pin 
> field:
>
>
> username: bloggs
>
> pw: password
>
> pin: 0192
>
>
> the pin is one time unique! has anyone ever come across a setup like this?
>
>
> sorry for the long post!
>
>
> hope you can help!
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
> http://www.cenzic.com/products_services/download_hailstorm.php
> ------------------------------------------------------------------------

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------