[LINK] Automated processing of lost passwords
Adam Todd
link at todd.inoz.com
Mon Feb 12 18:33:15 AEDT 2007
At 03:40 PM 12/02/2007, Lea de Groot wrote:
>On Mon, 12 Feb 2007 14:59:30 +1100, David Lochrin wrote:
> > Many websites with a restricted-access area include an automated
> > process for handling forgotten passwords. Usually the user emails to
> > a "forgotten password" address ("forgot your password" - sic) and the
> > system emails back the current (or an updated) password.
>
>I've never seen this.
>I have only seen sites where you give *the site* your account details
>and it pulls the verified email address out of the database and sends
>the password reminder to that address.
>Thus only the person who is authorised for the account can get the
>message (assuming their email account is secure - but that isn't the
>website's problem)
Which of course means all those people who use the same password for their
Ebay, PayPal and Banking will get quite a shock!
And then there are the Hotmail phishing attempts that net many a
password. Start loading hotmail addresses into lost password forms on web
sites (which can be done automatically) and voila!
>Never seen a site that says 'email me a password request'
I was going to say Nor have I, but then I remembered that AUNIC use to work
this way for many years. As did NSI when it was managing the DNS.
Thinking even harder, I can now start to think of quite a few. But I'd be
incredibly surprised if anyone does that now days with the ease of even a
text browser use and access.
More information about the Link
mailing list