SafeWallet
Andre Garzia
andre at andregarzia.com
Thu Sep 27 13:42:15 EDT 2012
On Thu, Sep 27, 2012 at 1:25 PM, Bob Sneidar <bobs at twft.com> wrote:
> This should be a lesson to all developers. ALWAYS give users a way to
> change their password.
Bob,
I don't think this is true. If the encrypted information is sensitive then,
in my humble opinion, having a way to change their password without
providing the current one is a security vulnerability. I think that the
convenience of being able to forget the password you set is not worth the
risk of somebody else getting the data by doing the same procedure.
Of course this only holds for sensitive data for common stuff then this is
more than reasonable and desired. For example, if my browser bookmarks are
encrypted, having such feature would be great but if we're talking about an
app that collects stuff as sensitive as my credit card passwords then
nothing should ever touch that without the password.
--
http://www.andregarzia.com -- All We Do Is Code.
http://fon.nu -- minimalist url shortening service.
More information about the use-livecode
mailing list