[Cryptography] Why is emailing me my password?

Greg greg at kinostudios.com
Wed Oct 2 10:57:40 EDT 2013 

> Hm.. that's a nice idea, but I don't think it can work reliably. What if
> the send path changes in between? AFAIK there are legitimate reasons for
> that, like load balancers or weird greylisting setups.

You're right, I think I misunderstood you when you talked about a "one time password". I thought you were referring to something users would have to come up with.

If by "one time password" you mean a server-generated token, then yes, that would be far better.

That's standard practice for most mailing lists. The token is usually a unique challenge link sent back to the user, and they can either click on it or reply to the message while quoting the link in the body. Sometimes it's also a unique number in the subject line.

- Greg

--
Please do not email me anything that you are not comfortable also sharing with the NSA.

On Oct 2, 2013, at 10:40 AM, Markus Wanner <markus at bluegap.ch> wrote:

> On 10/02/2013 04:32 PM, Greg wrote:
>> I agree, I apologize for the excessively negative tone. I think RL (and
>> unrelated) agitation affected my writing and word choice. I've taken
>> steps to prevent that from happening again (via magic of self-censoring
>> software).
> 
> Cool. :-)
> 
>> I don't see why a one-time-password is necessary. Just check the headers
>> to verify that the send-path was the same as it was on the original request.
> 
> Hm.. that's a nice idea, but I don't think it can work reliably. What if
> the send path changes in between? AFAIK there are legitimate reasons for
> that, like load balancers or weird greylisting setups.
> 
> Plus: why should that part of the header be more trustworthy than any
> other part? Granted, at least the last IP is added by a trusted server.
> But doesn't that boil down to IP-based authentication?
> 
> I'm not saying it's impossible, I just don't think it's as good as a
> one-time token. Do you know of a mailing list software implementing such
> a thing?
> 
> Regards
> 
> Markus Wanner
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20131002/3dd5e047/attachment.pgp>

More information about the cryptography mailing list