[cap-talk] Webkeys vs. the web
david.hopwood at industrial-designers.co.uk
Mon Mar 23 18:13:28 EDT 2009
Stiegler, Marc D wrote:
> I am presuming that the service would be using the "forgot your password"
> protocol anyway for people who forget their password.
Only if, for that particular service, the vulnerability created by
sending passwords in cleartext email is acceptable.
> In which case, there is no increase in vulnerability: an attacker who
> has the prerequisite mitm authority can always simply run this attack
> against you anyway, just by clicking "forgot my password" button for you :-)
*If* the service has a cleartext email "forgot my password" facility,
then there is no increase in vulnerability, but relying on "forgot my
password" alone results in a decrease in usability relative to my
proposal: in my proposal a user immediately gets to the desired page
after entering their username/password, without having to check their
> The advantage of my proposal is we are not adding yet another password
> to the burden.
Users expect the burden of managing passwords; they do not expect to
have to check their email on every visit to a website that is not from
a bookmark. In any case, *if* the cleartext email vulnerability is
acceptable then it's possible to provide both UIs, and users who always
rely on "forgot my password" then do not have to manage their passwords.
David-Sarah Hopwood ⚥
More information about the cap-talk