[OpenID] Password age and password reset
SitG Admin
sysadmin at shadowsinthegarden.com
Thu May 14 03:49:56 UTC 2009
>If the RP detects that the account is possibly compromised, telling
>the user to change their password is very likely the same thing as
>informing the attacker that he's been detected. Since the attacker
>has the password, he might as well change the password (and the
>account recovery data) to lock out the original user.
This is why pre-emptive password changes are such a good idea. If the
user can set a new password *before* the old one is compromised,
there will be no problem with a 2-week period during which the old
password is still good - and anyone logging in with the old password
will be able to cancel the new password. If they wait until an
attacker has already figured out the old password, though, changing
it themselves will only render them indistinguishable from an
attacker.
-Shade
More information about the general
mailing list