On Mon, Jun 06, 2005 at 08:22:11AM -0700, bruce wrote: > i was referring to the issue of anything sent via email that's not > encrypted is 'weak'.. if you send a hashed passwd/data via email, along > with a url for the user to link to, you're still in the same situation you > have now.. some one could spoof your email and send it, changing the > url... No, it's slightly better than just sending the password, because even if the message is intercepted, at least the victim will be aware that someone else changed the password. > it's obvious that i'm only interested in this problem/solution as it > pertains to sites that require you to login (user/passwd) because the site > has something of value... these are also the sites with the $$$ for a > reasonable/good solution! Someone else suggested using snail mail -- sending a reset token (again, not a new password) this way is one approach. (The Vermont college savings plan I just set up for my daughter uses this, for example.) Again, it comees down to balancing risks. How important is convenience vs. security? -- Matthew Miller mattdm@xxxxxxxxxx <http://www.mattdm.org/> Boston University Linux ------> <http://linux.bu.edu/> Current office temperature: 80 degrees Fahrenheit.
