[Cryptography] Removal of spaces in NIST Draft SP-800-63B

Jonathan Thornburg jthorn4242 at gmail.com
Sun Apr 2 21:50:18 EDT 2017


password-reset --> E-mail temporary password to user:

On Sun, Apr 02, 2017 at 01:31:07AM -0400, Kevin W. Wall wrote:
> 2) you generally place a tight time limit on how soon such an emailed
> password must be used. Say no more than 12 hours, but ideally, maybe 15-20
> minutes max. (Presumably, since the user took some action to have the
> password emailed??? to themselves [e.g., user registration, forgot password
> flow, call to help desk, etc.]. The user will be expecting the password in
> an email, to its expiration period can be short.)

Ick.  E-mail doesn't always arrive in < 15-20 minutes!  Sometimes a
mail-relay machine has a temporary error condition and mail gets queued
for a while.  Or a message gets caught in a greylisting queue (and hence
waits 4-24 hours before being retransmitted and delivered).  Or some
"helpful" software on the user's computer decides that this is a good
time to install updates.

And, *humans* don't always sit at an E-mail-capable device 24/7.  Even
humans who are expecting an important E-mail sometimes still engage in
non-internet-connected activities, returning later to catch up on their
E-mail.

FWIW, the shortest expiration time I've ever personally seen for a
"please confirm your message to the FOO mailing list" token was 48 hours,
with 3-7 days being more common.

-- 
-- "Jonathan Thornburg [remove -color to reply]" <jthorn4242 at gmail-pink.com>
   Dept of Astronomy & IUCSS, Indiana University, Bloomington, Indiana, USA
   "There was of course no way of knowing whether you were being watched
    at any given moment.  How often, or on what system, the Thought Police
    plugged in on any individual wire was guesswork.  It was even conceivable
    that they watched everybody all the time."  -- George Orwell, "1984"


More information about the cryptography mailing list