[OpenID] Password age and password reset
Allen Tom
atom at yahoo-inc.com
Wed May 13 05:09:58 UTC 2009
SitG Admin wrote:
>> Perhaps the best solution would be for the RP to just inform the user
>> of suspicious activity, and to recommend that the user change their PW.
>
> Inform the user how? If the RP is detecting a recently changed
> password, they can't detect suspicious activity until after the
> password has changed - and then, it probably IS the attacker (not the
> user) who is connecting to the RP.
>
Well, in the original proposal, the RP would tell the OP to tell the
attacker to change the password. I still don't quite understand the
proposal and the attack scenarios that it's trying to defend against.
Allen
More information about the general
mailing list