[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Savannah-hackers-public] changing password when registering
|
From: |
Bob Proulx |
|
Subject: |
Re: [Savannah-hackers-public] changing password when registering |
|
Date: |
Thu, 29 Jun 2017 18:21:22 -0600 |
|
User-agent: |
NeoMutt/20170609 (1.8.3) |
Ineiev wrote:
> In savane/frontend/php/account/register.php, I see a message
> like "For better security we advise you to change your password
> as soon as possible." (it's sent in the confirmation message).
That is in the link sent by email to the person to confirm their email
address, right?
> I wonder why; is the procedure for changing the password
> inherently more secure?
The link sent to you by email may be easedropped upon. But when you
connect with https then if you trust the CA (certificate authority)
that signed the https certificate (historically there have been
problems with that) then you can trust that your connection to the
site is secure. Changing your password over https should be very
secure. More so than if anything is sent to you by email.
Also I will note that there have been some incidents at other sites
where SMS text messages were subverted. Therefore SMS tokens are not
good security either.
Bob