Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
For the out-of-band Slashdot experience (mostly headlines), follow us on Twitter, or Facebook. ×

Comment: Type 4 UUIDs (Score 1) 206 206

The combination of time (the UUID can be time boxed), activity (a successful login nullifies the UUID), and possession (control of the account's registered email address)

My concern is how to keep someone between your server and the subscriber's MUA from compromising "possession", or how to establish "possession" the first time.

Assuming the coders didn't decide to come up with their own GUID generation algorithm that is easily reverse engineered and seeded

I just use a PRNG. If I need it as a GUID, I request 120 random bits and format them as a type 4 UUID. Is that good enough?

Comment: Re:Responses (Score 1) 206 206

Or to put it shorter: "Passwords and password reset codes go in separate fields."

I've implemented a similar system that keeps the hashed password and the one-time-use code in separate fields of the user table. I just wondered if there was any good way to protect the "login ticket" (the mail containing the one-time-use code) from interception in the 24 hours between when it is sent and the expiration time that we store.

Comment: It's to confirm control of your e-mail address (Score 1) 206 206

In the message the portal not only assigned my username, but it also listed a temporary password that's good for 30 days! All of this transmitted cleartext.

This use of a one-time, soon-expiring autogenerated password is common in flows that include the step "To reset your password, confirm your e-mail address" or "To opt in to e-mail notifications, confirm your e-mail address". Is there an alternative, other than to either A. mail all customers a second factor of authentication used to reset a password, or B. require all customers to subscribe to mobile phone service with unlimited texting to receive resets through SMS?

Comment: Security theater questions (Score 2) 206 206

Send an e-mail with a verification URL

How do you encrypt this unique verification URL on its way to the subscriber to your service?

security questions

I'm sorry; I misread this as "security theater questions". See "The Curse of the Secret Question" by Bruce Schneier and "Wish-It-Was Two Factor" by Alex Papadimoulis.

Comment: Facebook defeats security theater questions (Score 1) 206 206

The questions we ask are not something that would normally be found in a users inbox

A lot of time, the answers to security theater questions are things that would be in a user's Facebook timeline, such as the name of the middle school that the user attended.

Comment: Not 100% of Internet users have unlimited SMS (Score 1) 206 206

If you want a bit more security than this you could do something like text the user the token instead of baking it into the URL.

But how do you send a text to the number "I don't have a cell phone" or to a land line? I tried to send the code to a land line on a couple sites and got "Unsupported carrier".

Comment: It is "a random hash" (Score 1) 206 206

and send them an email with a link (containing a random hash that's indexed to that user in the DB) to verify the email address

But how would you encrypt "a random hash" on its way to the e-mail recipient?

Why would you need to generate a password for them, especially if you're going to email it plaintext and make them change it anyway?

Because this one-time random password serves precisely the same purpose as "a random hash" that you mention.

+ - Paradoxical Crystal Baffles Physicists->

An anonymous reader writes: In a deceptively drab black crystal, physicists have stumbled upon a baffling behavior, one that appears to blur the line between the properties of metals, in which electrons flow freely, and those of insulators, in which electrons are effectively stuck in place. The crystal exhibits hallmarks of both simultaneously.

“This is a big shock,” said Suchitra Sebastian, a condensed matter physicist at the University of Cambridge whose findings appeared today in an advance online edition of the journal Science. Insulators and metals are essentially opposites, she said. “But somehow, it’s a material that’s both. It’s contrary to everything that we know.”

Link to Original Source

Comment: Re:Goodness (Score 1) 251 251

Unfortunately, in this case the pain spreads around. The sluggard isn't necessary the one who suffers for it.

ISPs get stuck dealing with NAT because too many servers are only reachable via v4, servers get stuck scrounging v4 addresses (possibly at great expense) because too many ISPs don't support v6, etc.

Comment: Re:He answered the most boring questions! (Score 1) 159 159

Or are you simply alergic to the d,e,m,s,t and y?

You've obviously never worked on an embedded system. Sometimes in that space, you throw out absolutely anything and everything you don't absolutely positively have to include. That's why busybox exists and has a config menu that lets you choose exactly what commands to support. Likewise, dietlibc for when glibc is too big.

Hold on to the root.