Comments on: strong authentication and emailing passwords

By: OpenID provider wish-list at willnorris.com

OpenID provider wish-list at willnorris.com — Thu, 08 Mar 2007 09:35:12 +0000

[…] Tags: No Tags. A week or so ago, Nic Ferrier of prooveme contacted me in regards to a previous post I made that referenced prooveme.com in regards to strong authentication. He ended the […]

By: Will Norris

Will Norris — Thu, 01 Mar 2007 20:40:30 +0000

[quote comment="1373"]The issue here is that they actually know what your password is, meaning it is stored somewhere on their end in plain-text.[/quote] Oh I certainly agree in principal... password should be thrown into something like Kerberos which is actually designed for this, and then point of all applications at that. That's the way everything works at my employer, with the addition of an LDAP directory which applications can use to authenticate users, although the directory in turns goes to Kerberos.

However, given the type of setup a company like TxD must have, I can somewhat understand the need for not doing this, especially since that password is shared among so many systems (not that I necessarily agree with that either).

By: Nik Cubrilovic

Nik Cubrilovic — Thu, 01 Mar 2007 20:27:50 +0000

The issue here is that they actually know what your password is, meaning it is stored somewhere on their end in plain-text. Forgetting your password should always be a secondary auth and reset procedure rather than what you see here..

By: Will Norris

Will Norris — Tue, 27 Feb 2007 02:42:40 +0000

[quote comment=”1345”]It’s a help desk application that sends the emails out, I’ll pass on the idea of including x509 or other encryption support in there to the developers.[/quote] Or more simply, don’t email out passwords. It shouldn’t be too terribly difficult to come up with some other way to distribute or reset one’s password in a secure manner that does at least minimal identity verification. In any event, thanks for the reply… it is definitely comforting to know that TxD is actively listening.

By: Jason Hoffman

Jason Hoffman — Tue, 27 Feb 2007 00:31:26 +0000

It’s a help desk application that sends the emails out, I’ll pass on the idea of including x509 or other encryption support in there to the developers.

By: Will Norris

Will Norris — Mon, 26 Feb 2007 22:36:23 +0000

In regards to not vetting my identity, I forgot that by default all of my outgoing emails are signed using my x509 certificate from Thawte (which includes both my name and email since I went through their vetting process). So given that, I guess that would have been sufficient to determine that the request was truly from me… my apologies on that point. However, that also means that you then had my public cert right there and could have easily used it to encrypt the reply email. Perhaps you are just a PGP shop and would have done so if I had used that instead of x509? That would definitely be encouraging, but still a little short-sighted since there are still a number of people that use x509, if for no other reason than it is more commonly supported in email clients.

By: Jason Hoffman

Jason Hoffman — Mon, 26 Feb 2007 21:53:35 +0000

Will, we all know who you are (Filip was also a "VC" and the pool is pretty small).

We also expect you to log in and change your password.

And also if you send in a gpg or pgp key, we'd be sure to use it.

Regards, Jason (txd founder)