Is it only me that find the passkey thing a bit bad security like it's now
i mean lets say that the user for an example FLECOM ( from [H]ardOCP)
haven't made /used a passkey yet
what prevent me( someone) from putting in his name FLECOM and my email adress (someone's else email)
here
http://fah-web.stanford.edu/cgi-bin/getpasskey.py
let say in a 1 year it's a must to use/have a passkey
and now when FLECOM comes and put in his name FLECOM and and his email adress
http://fah-web.stanford.edu/cgi-bin/getpasskey.py
and it's going to say wrong email adress (becuase i have already put in his namn and my email adress)
how is he going to claim that he's the orgignal owner of FLECOM that have done all
that work to get all those points he have (~56,603,912 )
so isn't this a big security hole ?
that anyone can reg(get passkey) in some one else user name
and when you have done it the real owner of the user name that have worked in all those points gets
can't get the passkey to his user name becuase someone else have ninjad it (stolen it)
becuase the user name today isnt bound to anything
so i can reg with diffrent email adresses alot of user name and get passkeys to those so i have them in the future
mabey how we get the passkey needs to be looked at again
because today its for me a big security hole
a small security question
Moderators: Site Moderators, FAHC Science Team
-
crisun
- Posts: 1
- Joined: Sat Aug 09, 2008 1:25 pm
- Hardware configuration: OS: Vista ultimate 32 (X86)
CPU: Intel Core 2 Duo E6850 3.0GHz / 1333MHz / 4MB
Memmory: Corsair XMS2 2048MB DDR2 XMS2-6400 800MHz (4-4-4-12) (2x1024MB)
Grafic card: Geforce 8800 GT 512MB ,PCI Express x16 (ForceWare version: 177.92 Beta)
Motherboard: Gigabyte - Socket 775 - ATX iP35 (GA-P35-DS4)
Hard Drives: 6
Western Digital Raptor 36GB SATA (10000RPM / 16MB Cache / SATA) (OS disk)
Western Digital 320GB SATA II Caviar SE16 (7200RPM / 16MB Cache / SATA II)
Western Digital 500GB SATA II Caviar SE16 (7200RPM / 16MB Cache / SATA II)
Western Digital 500GB SATA II Caviar SE16 (7200RPM / 16MB Cache / SATA II)
Hitachi 250GB SATA-II Deskstar T7K500 (8MB Cache / Sata-II)
Maxtor DiamondMax 10 250Gb (SATA II / 7200rpm / 16Mb) - Location: Sweden
-
7im
- Posts: 10179
- Joined: Thu Nov 29, 2007 4:30 pm
- Hardware configuration: Intel i7-4770K @ 4.5 GHz, 16 GB DDR3-2133 Corsair Vengence (black/red), EVGA GTX 760 @ 1200 MHz, on an Asus Maximus VI Hero MB (black/red), in a blacked out Antec P280 Tower, with a Xigmatek Night Hawk (black) HSF, Seasonic 760w Platinum (black case, sleeves, wires), 4 SilenX 120mm Case fans with silicon fan gaskets and silicon mounts (all black), a 512GB Samsung SSD (black), and a 2TB Black Western Digital HD (silver/black).
- Location: Arizona
- Contact:
Re: a small security question
You misunderstand the process, and misunderstand which data points tie together, or more accurately which data points are completely unrelated.
When FLECOM goes to request a passkey, that tool is NOT going to say wrong user name or wrong email address. He can put in whatever user name he wants. The user name entered in to the passkey request is NOT tied to your fah user name. It's just an input variable on which your passkey is keyed. It's part of the hash. It's also an easy way for your to remember what you used in case you need to get a copy. Same for your email address. Passkeys are in no way tied to anything you have done before until you type that passkey number in to your client configuration. And even then, the passkey is only stored as an additional data point in the stats.
ONLY 1 person has access to BOTH the user name AND the email address that you entered. And even if I know both of those items, I still can't steal the passkey. Even if I enter your user name, and your email address, the passkey that is generated is only sent to YOUR email address. And I can't read your email. Stanford would not release a key system that just anyone could steal.
There is no spoon, er, no hole.
When FLECOM goes to request a passkey, that tool is NOT going to say wrong user name or wrong email address. He can put in whatever user name he wants. The user name entered in to the passkey request is NOT tied to your fah user name. It's just an input variable on which your passkey is keyed. It's part of the hash. It's also an easy way for your to remember what you used in case you need to get a copy. Same for your email address. Passkeys are in no way tied to anything you have done before until you type that passkey number in to your client configuration. And even then, the passkey is only stored as an additional data point in the stats.
ONLY 1 person has access to BOTH the user name AND the email address that you entered. And even if I know both of those items, I still can't steal the passkey. Even if I enter your user name, and your email address, the passkey that is generated is only sent to YOUR email address. And I can't read your email. Stanford would not release a key system that just anyone could steal.
There is no spoon, er, no hole.
How to provide enough information to get helpful support
Tell me and I forget. Teach me and I remember. Involve me and I learn.
Tell me and I forget. Teach me and I remember. Involve me and I learn.
Re: a small security question
To clarify, the passkey is a hash value derived from the username + email adresse. To get the same passkey, you need the same username and email so it's impossible to steal it unless you happen to be able to access the email inbox yourself.
