[Cryptography] Why is emailing me my password?

Markus Wanner markus at bluegap.ch
Wed Oct 2 10:40:05 EDT 2013


On 10/02/2013 04:32 PM, Greg wrote:
> I agree, I apologize for the excessively negative tone. I think RL (and
> unrelated) agitation affected my writing and word choice. I've taken
> steps to prevent that from happening again (via magic of self-censoring
> software).

Cool. :-)

> I don't see why a one-time-password is necessary. Just check the headers
> to verify that the send-path was the same as it was on the original request.

Hm.. that's a nice idea, but I don't think it can work reliably. What if
the send path changes in between? AFAIK there are legitimate reasons for
that, like load balancers or weird greylisting setups.

Plus: why should that part of the header be more trustworthy than any
other part? Granted, at least the last IP is added by a trusted server.
But doesn't that boil down to IP-based authentication?

I'm not saying it's impossible, I just don't think it's as good as a
one-time token. Do you know of a mailing list software implementing such
a thing?

Regards

Markus Wanner

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1594 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20131002/fafac80d/attachment.pgp>


More information about the cryptography mailing list