[OpenID] Password age and password reset
Eric Sachs
esachs at google.com
Wed May 13 23:11:46 UTC 2009
>> If the RP detects that the account is possibly compromised, telling the
user to change their password is very likely the same thing as informing the
attacker that he's been detected. Since the attacker has the password, he
might as well change the password (and the account recovery data) to lock
out the original user.
In some cases it won't help, but in some cases it will (with the assumption
that the website can tell that the password has been changed). For many
websites that rely on basic methods of authentication there is no 100%
guaranteed way of returning the account to the rightful owner. If a website
has already learned through experience that this technique helps (and many
have), then its a big barrier for them to become an RP if they know they are
losing that technique.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090513/92ad1526/attachment.htm>
More information about the general
mailing list