Hacker News new | past | comments | ask | show | jobs | submit login

"Man In The Middle (MITM)" is the important bit. For example by sniffing the wireless traffic on an unencrypted wlan you can capture entire emails being sent or received, without ever compromising the account.



  - Request password reset.
  - Sniff email with reset link.
  - Go to reset link before user does and change password.


The key difference is that capturing a plaintext password means the user and attacker both share a password without the user realising, while capturing a reset link means that one of them will win and the other will observe their password reset has failed.


That will work, however it will also leave the user with a clue that their account may have been compromised. It is also a noticable degree harder to pull off than simply sniffing a password being sent, due to needing to know the target's data necessary to request a reset.


Hence our mentioning that the user must receive a mail notifying of the password change.


It would be better if the website allowed the user to set the new password first and then send an email to confirm the password change.


Entire clear text emails. Everyone SHOULD be using TLS wrapped email protocols. That doesn't mean they are, but gmail is https all the way and many providers now require TLS connections to the mail servers.

Still, one time use password reset links with explicit instructions and set expectations to reset the password immediately is the way to go if you're emailing anything IMO.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: