http://danielmiessler.com/blog/from-password-reset-mechanisms-to-openid-a-brief-discussion-of-online-password-security grep understanding Fri, 25 May 2012 02:15:50 +0000 hourly 1 http://wordpress.org/?v=3.3.2 http://danielmiessler.com/blog/from-password-reset-mechanisms-to-openid-a-brief-discussion-of-online-password-security/comment-page-1#comment-243123 Blog :: by Wade Woolwine » Blog Archive » News and Commentary :: by WadeW and You (08/28/2009) Fri, 28 Aug 2009 13:12:02 +0000 http://danielmiessler.com/blog/from-openid-to-email-resets-a-discussion-of-online-password-security#comment-243123 <p>[...] http://danielmiessler.com/blog/from-password-reset-mechanisms-to-openid-a-brief-discussion-of-online... / http://danielmiessler.com/blog/password-reset-mechanisms-the-online-security-threat-nobodys-talking-about I’m really glad this topic is getting some press. I wrote about ASQs a few months ago and have since been noticing some changes in the options available for password reset functionality. Google allows you to select between secondary email reset, SMS, and ASQ. Additionally, there’s a 24hrs waiting period after the email notification is sent out to the secondary email address before you can leverage the other 2 methods. Very nice. MyOpenID (my OpenID provider) offers password, certificate based authentication, and telephone based authentication – pretty awesome options! Alas, the recover password functionality simply sends an email with a 11 character variable that you click to recover your account. Not too happy about that. There you have it, Google has given some serious thought to security in password recovery, MyOpenID, not so much. [...]</p> [...] http://danielmiessler.com/blog/from-password-reset-mechanisms-to-openid-a-brief-discussion-of-online… / http://danielmiessler.com/blog/password-reset-mechanisms-the-online-security-threat-nobodys-talking-about I’m really glad this topic is getting some press. I wrote about ASQs a few months ago and have since been noticing some changes in the options available for password reset functionality. Google allows you to select between secondary email reset, SMS, and ASQ. Additionally, there’s a 24hrs waiting period after the email notification is sent out to the secondary email address before you can leverage the other 2 methods. Very nice. MyOpenID (my OpenID provider) offers password, certificate based authentication, and telephone based authentication – pretty awesome options! Alas, the recover password functionality simply sends an email with a 11 character variable that you click to recover your account. Not too happy about that. There you have it, Google has given some serious thought to security in password recovery, MyOpenID, not so much. [...]

]]>