WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: OpenID and the web

From: "Razi Shaban" <razishaban () gmail com>
Date: Thu, 27 Mar 2008 18:06:47 +0200
That is an attack that is relatively easy to prevent. If a malicious
user has the password, then no measure of protection can stop them.

--
Razi

On 3/27/08, Lucas Oman <me () lucasoman com> wrote:

Razi Shaban wrote:
 > If you use a different account name and password at every single
 > website, then if one account is compromised then all your other
 > accounts are safe.


This is really not so, since most users sign up with the same email
 address. All an attacker needs to do is crack the email account and use
 the "forgot password" feature on most websites. Like it or not, most of
 us already have a single PoF in the security of our online identities.


 Lucas Oman


 --
 Web Software Dev
 Consultant
 Nerd
 912.655.9594
 www.lucasoman.com



-------------------------------------------------------------------------
Sponsored by: Watchfire 
Methodologies & Tools for Web Application Security Assessment 
With the rapid rise in the number and types of security threats, web application security assessments should be 
considered a crucial phase in the development of any web application. What methodology should be followed? What tools 
can accelerate the assessment process? Download this Whitepaper today! 

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: