default_dictionary
directive, or open it using crack_opendict().
One-Time URLs and Password Recovery
As sure as the sun rises, your application users will forget their passwords. All of us are
guilty of forgetting such information, and it??™s not entirely our fault. Take a moment to
list all the different login combinations you regularly use; my guess is that you have at
least 12 such combinations. E-mail, workstations, servers, bank accounts, utilities,
online commerce, securities and mortgage brokerages, and so on. We use passwords
to manage nearly everything these days. Because your application will assumedly be
adding yet another login pair to the user??™s list, a simple, automated mechanism should
be in place for retrieving or resetting the user??™s password should it be forgotten.
Table 14-1. Password Candidates and the crack_check() Function??™s Response
Password Response
Mary it is too short
12 it??™s WAY too short
1234567 it is too simplistic/systematic
street it does not contain enough DIFFERENT characters
384 CHAPTER 14 ?– AUTHENTICATING YOUR USERS
Depending on the sensitivity of the material protected by the login, retrieving the
password might require a phone call or sending the password via the postal service.
As always, use discretion when you devise mechanisms that may be exploited by an
intruder. This section examines one such mechanism, referred to as a one-time URL.
Pages:
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463