[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Edlug Archive May 2004 ]

Re: [edlug] intercepting emails

To: Rory McCune <rorym@xxx.xxx.xxx>
Subject: Re: [edlug] intercepting emails
From: Andrew Aylett <andrew@xxx.xxx.xxx>
Date: Fri, 07 May 2004 13:42:53 +0100
Cc: Samsara <phi1ipp@xxx.xxx.xxx>, edlug@xxx.xxx.xxx
In-reply-to: <409A9BCC.1080000@xxx.xxx.xxx> (Rory McCune's message of "Thu, 06 May 2004 21:10:52 +0100")
List-post: <mailto:edlug@xxx.xxx.xxx>
List-subscribe: <mailto:edlug-request@xxx.xxx.xxx>
List-unsubscribe: <mailto:edlug-request@xxx.xxx.xxx>
Organization: Badly Organised
References: <20040506193844.57319.qmail@xxx.xxx.xxx> <409A9BCC.1080000@xxx.xxx.xxx>
Sender: owner-edlug@xxx.xxx.xxx
User-agent: Gnus/5.1006 (Gnus v5.10.6) XEmacs/21.4 (Portable Code, linux)

Rory McCune <rorym@xxx.xxx.xxx> writes:

<sending new passwords by email>
> * while it is pretty common practice, doesn't mean it is a good thing.
> A better way is to use  secondary questions/answers, set-up when you
> create the account and then ask that if you forget your password......

I'd disagree with that -- it makes the account only as secure as the
secondary questions, which is usually less secure than the primary
password (if it was as secure, why wouldn't you just use it as the
primay means of authentication if it was less likely to be forgotten?).
To my mind, unencrypted email is better than secondary questions but
neither is particularly good.  Better would be encrypted email, best
would be client side SSL certificates.  Unfortunately not many people
use encrypted email and few keep SSL certificates around, especially not
ones that are certified by a trusted CA.

As an intermediate measure, I quite like the way NatWest goes about
things (from a setting up point of view) -- they require you to phone
them and convince them that you are who you say you are before sending
you your activation code, which comes in the post a few days later.  You
use this code to activate your account and set up your PIN and password.
Should you forget either, you have to phone them again.  This is
probably a bit too much hassle for your average shopping site though...

I believe that the CC companies have a new scheme coming out soon, which
should make all this a lot easier -- after attempting to purchase
something online, you have to go to the CC company's site and satisfy
them that you really are you, before they authorise the transaction.
This means that you've only got one set of super-secure credentials to
remember, and that they can be secure in defining and maintaining those
credentials.

OK,
-- 
Andrew Aylett | www.aylett.co.uk | 1.79 x 10^12 furlongs per fortnight...
andrew@xxx.xxx.xxx | answer==42 |  -- it's not just a good idea, it's the law!

Attachment: pgp09344.pgp
Description: PGP signature

Follow-Ups:
- Re: [edlug] intercepting emails
  - From: Rory McCune

References:
- Re: [edlug] intercepting emails
  - From: Samsara
- Re: [edlug] intercepting emails
  - From: Rory McCune

Prev by Date: Re: [edlug] dynamic dns, domain names, and other shenanigans
Next by Date: Re: [edlug] dynamic dns, domain names, and other shenanigans
Previous by thread: Re: [edlug] intercepting emails
Next by thread: Re: [edlug] intercepting emails
Index(es):
- Main
- Thread

Morpheux

This archive is kept by wibble@morpheux.org.DONTSPAMME

homepage