r has chosen to disable password reset (which for a security
> sensitive site, they almost certainly should -- emails aren't secure), then
> it is their duty to supply a public-key method of verifying their identity.
> If they haven't done that then I don't think it's unreasonable for you to
> require any level of:
>
> - Birth certificate
> - Utility bill
> - Passport
> - Freshly made photo of them holding today's paper with a secret phrase of
> your choice written on it.
> - An unlocking payment from the same source as the original VPS purchase
Imagine this. Someone walks into my house, grabs my ID document, a
utility bill and scans it (have no passport). These are all on my desk.
The photo is also easy (using macbook pro's camera). They have already
hacked into my e-mail, so sending the payment is not an issue (they have
my mac password, e-mail password, paypal/google pay password, which are
all of course the same[1]. Bingo.
[1] I have seperate passwords for everything. All in 1-Password. Secured
with a 18-character password. Won't happen here, but can at other places
I'm sure.
> In short: paranoia. Disabling password reset implies a level of security
> that should be maintained. It's saying "I take full responsibility for the
> password to this VPS, and if I lose it, I accept that I may never get access
> again".
Put a note on the site. "If you disable password reset you take full
responsibility for not losing your access details. You also confirm that
bitfolk will be unable to help you with access to your vps if you lose
your PGP key and/or SSH key".
> The alternative is that social engineering will get an attacker access; and
> that's often considerably easier brute forcing problem than a password.
From peet@??? Thu Jul 12 19:57:50 2012
Received: from mead.hivemind.net ([41.76.209.65])
by mail.bitfolk.com with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
(Exim 4.72) (envelope-from <peet@???>) id 1SpPWI-0004eV-De
for users@???; Thu, 12 Jul 2012 19:57:50 +0000
Received: from 196-215-37-147.dynamic.isadsl.co.za ([196.215.37.147]:49374
helo=mac-wifi.peet.za.net)
by mead.hivemind.net with esmtpa (Exim 4.72 #1)
id 1SpPjk-00012C-Rk by authid <peet> with plain_courier_authdaemon
for <users@???>; Thu, 12 Jul 2012 22:11:45 +0200
Message-ID: <4FFF2C61.4040609@???>
Date: Thu, 12 Jul 2012 21:58:25 +0200
From: Peet Grobler <peet@???>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7;
rv:13.0) Gecko/20120614 Thunderbird/13.0.1
MIME-Version: 1.0
To: users@???
References: <20120707130537.GA11695@???>
<201207081645.39704.andyparkins@???>
<1207091331520.3156.UDXSUCGA%phil-bitfolk-users@???>
<20120709151047.GW11695@???>
<cf66f3c72ac6f92de79ab05de81c0aaa.squirrel@???>
<CADDPZSjiUcC81fKYO-o9F=KL8yM7W_SZH9VmmSST-diuHt2j7w@???>
<20120711130627.64d8d983@???>
<20120711122307.GN11695@???>
In-Reply-To: <20120711122307.GN11695@???>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Whitelisted: Authenticated sender, whitelisted
X-Virus-Scanner: Scanned by ClamAV on mail.bitfolk.com at Thu,
12 Jul 2012 19:57:50 +0000
X-SA-Exim-Connect-IP: 41.76.209.65
X-SA-Exim-Mail-From: peet@???
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
spamd3.lon.bitfolk.com
X-Spam-Level:
X-Spam-ASN: AS3741 41.76.208.0/21
X-Spam-Status: No, score=-2.3 required=5.0 tests=RCVD_IN_DNSWL_MED
shortcircuit=n
