You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Dianne Skoll <df...@roaringpenguin.com> on 2017/08/07 23:34:37 UTC
Password reset strategies (was Re: Sender needs help with false
positive)
[Just replying to one aspect of the original message.]
On Mon, 7 Aug 2017 18:26:00 -0500
David Jones <dj...@ena.com> wrote:
> First, it's a bad idea for a number of reasons to send passwords via
> email. Most modern "lost password" mail loops use a unique URL that
> expires after a short period of time.
As long as both methods expire, both methods require answering a
prearranged question (or some out-of-band method of authentication),
and both methods require immediate changing of the password, a link is
no more secure than sending the temporary password. In fact, a link may
eventually lead to *less* security as it's easier to phish people if
legitimate messages include a link rather than not including a link.
Encouraging people not to click links in messages like legitimate
password recovery emails is a Good Thing, IMO, as it'll make them less
likely to click links in fake ones.
I realize I'm tilting at windmills.
Regards,
Dianne.