[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Savannah-hackers-public] changing password when registering
|
From: |
Ineiev |
|
Subject: |
Re: [Savannah-hackers-public] changing password when registering |
|
Date: |
Fri, 30 Jun 2017 01:54:45 -0400 |
|
User-agent: |
Mutt/1.5.21 (2010-09-15) |
On Thu, Jun 29, 2017 at 06:21:22PM -0600, Bob Proulx wrote:
> Ineiev wrote:
> > In savane/frontend/php/account/register.php, I see a message
> > like "For better security we advise you to change your password
> > as soon as possible." (it's sent in the confirmation message).
>
> That is in the link sent by email to the person to confirm their email
> address, right?
Yes.
> > I wonder why; is the procedure for changing the password
> > inherently more secure?
>
> The link sent to you by email may be easedropped upon. But when you
> connect with https then if you trust the CA (certificate authority)
> that signed the https certificate (historically there have been
> problems with that) then you can trust that your connection to the
> site is secure. Changing your password over https should be very
> secure. More so than if anything is sent to you by email.
>
> Also I will note that there have been some incidents at other sites
> where SMS text messages were subverted. Therefore SMS tokens are not
> good security either.
The registration form (including the password) is sent over HTTPS,
so it should be equally secure. plain-text email isn't secure,
and I can see how it could be used to register with other person's
email account, but it isn't clear to me how one could use the hash
to compromise the password.
signature.asc
Description: Digital signature