Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

That opens an attack vector where I can keep someone off a site by repeatedly requesting a password reset.

You don't want to take any actions on an authenticated session as a result of actions of an unauthenticated user.



Yes I do. Sometimes the medicine is unpleasant but necessary. For many services, a malicious denial is better than an active compromised account, both in the material consequences and the opportunities for tactical management. We similarly also lock out after X failed login attempts.


Requesting a blind password reset is not a "compromised account".

"We similarly also lock out after X failed login attempts."

That is not affecting an authenticated session with the actions of an unauthenticated session; that is affecting unauthenticated sessions with the actions of unauthenticated sessions. You should not cancel logged in sessions because of failed login attempts for the same reason. It is a violation of basic security principles for an unauthenticated user to be able to affect an authenticated session. You open an attack vector, one that can and has been used, and can and has been used to escalate as well:

1. Blow through the login limits on the target user's account. 2. In the interests of "security", you cancel the real life login session because of the unrelated actions of attackers. 3. Wondering what's going on, the users checks their email and see the attacker's well-crafted phishing email about how they need to reconfirm their password because of [security bibble-babble]. 4. Because it's so temporally-related, the user is much more inclined to think it's valid and click through.

That's just one way to exploit it that comes to mind; statistically, that's going to be much more effective than blind emails.

Don't let unauthenticated sessions affect authenticated ones.

I drive in an area with some roundabouts, and a lot of polite drivers. There's a handful of drivers that think they are doing us all a favor when they "upgrade" the yield signs on the roundabouts to stop signs. They're not. You're doing much the same thing; security isn't about going in one direction all the way and being as paranoid as possible and shutting down access at the first sign of trouble. It's about getting the balance correct, because being over-paranoid can open you up to exploits too.


Thanks for your remarks, but you've made some profoundly incorrect assumptions and raised contextually variegated guidelines to the status of axioms.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: