On Fri, Jan 9, 2009 at 3:38 PM, Sriram Panyam <sri.pan...@gmail.com> wrote: > you know all said and done how the hell do you technically safe guard > against "Happiness" as a password?
The problem is not so much that (it's bad, arguably, and even you could force some complexity or length (personally I recommend long-sentences)) but really the fact that it was trivial to do the password reset on the accounts. What should've been done is that a secondary token is required to do the reset. For example, the crystal account requests a reset, is sent a 'confirm reset thing' to an offline area (her email, an internal twitter site, etc) and then it's processed there (possibly with yet another token). > but yes a dictionary attack is something they could have prevented with > rate-limiting! -- noon silky http://www.boxofgoodfeelings.com/ --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Silicon Beach Australia" group. To post to this group, send email to silicon-beach-australia@googlegroups.com To unsubscribe from this group, send email to silicon-beach-australia+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/silicon-beach-australia?hl=en -~----------~----~----~----~------~----~------~--~---
