[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Savannah-help-public] [sr #107281] Verification of account email change
|
From: |
Matt McCutchen |
|
Subject: |
[Savannah-help-public] [sr #107281] Verification of account email changes is ineffective (try 2) |
|
Date: |
Sat, 31 Jul 2010 16:52:14 +0000 |
|
User-agent: |
Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.9) Gecko/20100419 Fedora/3.5.9-1.custom.fc12 Shiretoko/3.5.9 |
Follow-up Comment #4, sr #107281 (project administration):
> Wrt predicatable identifiers, what about storing 2 random numbers in the
DB, one for confirmation and one for cancellation?
That would be fine.
> Other code tend to use MD5 and combine user information such as username,
etc., but I fail to see the increased security compared to a good old, plain
64 bits random number.
Right. The security is actually completely decreased if the user knows all
the inputs to the digest and can recompute it, as is the case for email change
verification. A MAC with a site-configured secret key would work, but then
one has to be careful about replay attacks. Random numbers are just easiest.
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/support/?107281>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/