Hacker News new | past | comments | ask | show | jobs | submit login 

  - Request password reset.
  - Sniff email with reset link.
  - Go to reset link before user does and change password.



The key difference is that capturing a plaintext password means the user and attacker both share a password without the user realising, while capturing a reset link means that one of them will win and the other will observe their password reset has failed.


That will work, however it will also leave the user with a clue that their account may have been compromised. It is also a noticable degree harder to pull off than simply sniffing a password being sent, due to needing to know the target's data necessary to request a reset.


Hence our mentioning that the user must receive a mail notifying of the password change.


It would be better if the website allowed the user to set the new password first and then send an email to confirm the password change.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: