[LINK] Automated processing of lost passwords

Craig Sanders cas at taz.net.au
Mon Feb 12 15:41:35 AEDT 2007


On Mon, Feb 12, 2007 at 02:59:30PM +1100, David Lochrin wrote:
>    Many websites with a restricted-access area include an automated
>    process for handling forgotten passwords.  Usually the user emails
>    to a "forgotten password" address ("forgot your password" - sic)
>    and the system emails back the current (or an updated) password.

usually they user doesn't email a "forgotten password" address. they
click on a "forgotten password" link on the web site and the site emails
them a password reminder (or a new/changed password).

sometimes the site will send them a URL to click on to change the password.

>    I assume the normal action is merely to verify that the email
>    originates from the user's registered email address.  But can any
>    Linker say how easy this is to forge?  When an email is relayed via
>    intermediate MHS servers, is all the protocol information derived
>    from in the email header?

any email address is trivial to forge. there are no checks done by
sending or receiving server that the sender is actually who they say
they are. nor is there are any mechanism for doing so (SMTP Auth
doesn't necessarily authenticate the sender's real identity, it just
authenticates that you are allowed to relay mail via that server).


>    If a suitably resourced nasty knows an individual's email address
>    and discovers that s/he has an account on a particular website, how
>    easy is it for them to penetrate the "forgotten password" process?

how easy is it for the user's email to be intercepted?

craig

-- 
craig sanders <cas at taz.net.au>

Currently listening to: Entheogenic - Ground Luminosity (Ott's New Y

BOFH excuse #16:

somebody was calculating pi on the server



More information about the Link mailing list