Re: Forcing new password at login (w/o requiring an old password) (sudo related)
From: Andrew Gideon (c182driver_at_gideon.org)
Date: 08/25/05
- Previous message: Andrew Gideon: "Re: Forcing new password at login (w/o requiring an old password) (sudo related)"
- In reply to: Richard E. Silverman: "Re: Forcing new password at login (w/o requiring an old password) (sudo related)"
- Next in thread: Darren Tucker: "Re: Forcing new password at login (w/o requiring an old password) (sudo related)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 25 Aug 2005 12:56:39 -0400
Richard E. Silverman wrote:
> Anyone could send you a public key, forging the email address of
> someone with a new account from whom you're expecting a message.
True, but - absent something like cache poisoning for a man-in-the-middle
type of attack - that would prevent the expected user from logging in.
That I'd learn about out of band (and quickly {8^).
Still, you're right: this isn't perfect. Unfortunately, too many users are
still unacquainted with secure email. I still receive occasional
complaints, for example, when I include a (PGP) signature in email. I've
even seen supposedly Internet-savvy (at least in their opinion {8^) people
worry that it might be a virus.
- Andrew
- Previous message: Andrew Gideon: "Re: Forcing new password at login (w/o requiring an old password) (sudo related)"
- In reply to: Richard E. Silverman: "Re: Forcing new password at login (w/o requiring an old password) (sudo related)"
- Next in thread: Darren Tucker: "Re: Forcing new password at login (w/o requiring an old password) (sudo related)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
