LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for February 16, 2012

Book review: Open Advice

Linux support for ARM big.LITTLE

LWN.net Weekly Edition for February 9, 2012

XBMC 11 "Eden"

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Nope. Paswords reset != access to password

Nope. Paswords reset != access to password

Posted May 28, 2008 16:53 UTC (Wed) by khim (subscriber, #9252)
In reply to: authenticating with XMPP ID (jabber address) by rfunk
Parent article: The problem(s) with OpenID

If email authentication is used to reset my password, then access to my email is equivalent to access to my password.

If you can only reset the password then you can not use email as password replacement. You can not return password back to original state thus any such access will be visible for original owner. It's enough for many things.

This is why I hate systems that require me to give them an answer to some simple question "in case I forget my password," since that answer ends up being a weak password-equivalent.

You can always fix the system by entering word from /dev/random there. On the other hand lack of such a system will be a disaster for "normal" people who are not accustomed to world of IT where it is possible to create virtually unbreakable lock. They expect that police can always open the door if needed...

(Log in to post comments)

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds