[OpenID] Password age and password reset
SitG Admin
sysadmin at shadowsinthegarden.com
Wed May 13 02:03:09 UTC 2009
>Perhaps the best solution would be for the RP to just inform the
>user of suspicious activity, and to recommend that the user change
>their PW.
Inform the user how? If the RP is detecting a recently changed
password, they can't detect suspicious activity until after the
password has changed - and then, it probably IS the attacker (not the
user) who is connecting to the RP.
Do they use the OP-submitted E-mail address, probably also changed by
the attacker, to notify the user? Or put something in the page?
Either way, the attacker has now been alerted to the RP's suspicion;
can the attacker disarm these notifications?
-Shade
More information about the general
mailing list