Mar. 13th, 2009

Password reminder emails

Mar. 13th, 2009 09:05 am
ewx: (geek)

From news.livejournal.com:

The recent break-ins resulted from hijackers finding and accessing lapsed Hotmail accounts that were used with LiveJournal accounts and publicly displayed on Profile pages in the past. You should be aware that Hotmail recycles email addresses that haven't been used in more than a year. If you validated a Hotmail address for your journal and displayed it publicly in the past, but then let the address lapse, someone who finds and re-registers that address can use it to obtain control of the journal.

This problem is unique neither to Livejournal (anything that has a password reminder and allows usernames to somehow be connected to email addresses will be vulnerable) nor to Hotmail (domain names can change owner). Connecting addresses to logins doesn't have to be 100% reliable for the exercise to be worthwhile to an attacker, and for a high-profile target they might well be prepared to spend a bit of time researching them.

Livejournal suggest that users make sure they only use addresses that they retain control over - in other words, user education, something with a poor track record.

Some possible measures that don't rely on the user's initiative:

  • Refuse to send password reminders to any email address that you've ever published. If addresses and logins can be connected some other way then this is no help, but it should at least reduce the size of the problem a bit.
  • Periodically verify that addresses recorded for password reminders are valid, for instance by sending them a confirmation link that must be clicked for the reminder address to remain usable. Unfortunately if the address has expired and already been re-used, this doesn't do any good - the attacker can follow the link. You could go further and require the password to be entered for the confirmation to complete - but training users to enter passwords in response to emails received out of the blue is a terrible idea!
  • Expire reminder addresses; users would have to (log in and) re-enable them and then re-confirm them (thus resetting the expiry on the email address too, conveniently). This is the most effort for the users, but probably also the most reliable. In practice you'd send a warning email a bit before expiry so that there need never be an interval where you couldn't get a password reminder.
Tags:

IPv6 Addressing RFCs

Mar. 13th, 2009 11:28 am
ewx: (geek)
1924 A Compact Representation of IPv6 Addresses. R. Elz. April 1 1996.
     (Format: TXT=10409 bytes) (Status: INFORMATIONAL)

4291 IP Version 6 Addressing Architecture. R. Hinden, S. Deering.
     February 2006. (Format: TXT=52897 bytes) (Obsoletes RFC3513) (Status:
     DRAFT STANDARD)

I only just realized that 4291 = 1924 backwards. I don't think that can be a coincidence l-)

Tags:

Profile

ewx: (Default)
Richard Kettlewell
https://www.greenend.org.uk/rjk/

November 2025

S M T W T F S
      1
2345678
91011121314 15
1617 181920 2122
23242526272829
30      

Most Popular Tags

Active Entries

Expand Cut Tags

No cut tags
Top of page