Cybersecurity - Memes

2856 readers

2 users here now

Only the hottest memes in Cybersecurity

founded 2 years ago

MODERATORS

[email protected]

567

Uh oh, somebody's not following best practices, that's a paddlin (lemmy.world)

submitted 2 weeks ago by [email protected] to c/[email protected]

103 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 12 points 2 weeks ago (2 children)

This thread is just a series of people who think they understand.

Thinking you understand when you do not is the real cyber security threat.

This is a password reset form. This requires the user having successfully authenticated or gone through a password recovery form. The best practices in this instance are not the same as the best practices for a login form.

[–] [email protected] 10 points 2 weeks ago (1 children)

This form can be used to brute force or dictionary guess passwords and infer what they are without a limitation on login attempts. Even if the password has already been invalidated on that service, finding a collision on this service gives you a password that might work on other services for the same email address/username

[–] [email protected] 1 points 2 weeks ago

And waiting for a form submit changes that in what way that cannot also be done on a debounce?

[–] [email protected] 2 points 2 weeks ago

Aquire password database (it's properly hashed and salted)
Create an account and access the password reset form
Dig into the front-end code to find whatever is doing the hash calculations
Brute-force a list of common passwords and look for matches

It would still take significant time, but it's still a vulnerability, especially as technology evolves. You're right that best practices are different for a reset form, but there are some things that are common (like don't do hashes in the front end).