Folding Forum

Is it only me that find the passkey thing a bit bad security like it's now
i mean lets say that the user for an example FLECOM ( from [H]ardOCP)
haven't made /used a passkey yet
what prevent me( someone) from putting in his name FLECOM and my email adress (someone's else email)
here
http://fah-web.stanford.edu/cgi-bin/getpasskey.py

let say in a 1 year it's a must to use/have a passkey
and now when FLECOM comes and put in his name FLECOM and and his email adress
http://fah-web.stanford.edu/cgi-bin/getpasskey.py
and it's going to say wrong email adress (becuase i have already put in his namn and my email adress)
how is he going to claim that he's the orgignal owner of FLECOM that have done all
that work to get all those points he have (~56,603,912 )

so isn't this a big security hole ?
that anyone can reg(get passkey) in some one else user name
and when you have done it the real owner of the user name that have worked in all those points gets
can't get the passkey to his user name becuase someone else have ninjad it (stolen it)
becuase the user name today isnt bound to anything
so i can reg with diffrent email adresses alot of user name and get passkeys to those so i have them in the future

mabey how we get the passkey needs to be looked at again
because today its for me a big security hole

You misunderstand the process, and misunderstand which data points tie together, or more accurately which data points are completely unrelated.

When FLECOM goes to request a passkey, that tool is NOT going to say wrong user name or wrong email address. He can put in whatever user name he wants. The user name entered in to the passkey request is NOT tied to your fah user name. It's just an input variable on which your passkey is keyed. It's part of the hash. It's also an easy way for your to remember what you used in case you need to get a copy. Same for your email address. Passkeys are in no way tied to anything you have done before until you type that passkey number in to your client configuration. And even then, the passkey is only stored as an additional data point in the stats.

ONLY 1 person has access to BOTH the user name AND the email address that you entered. And even if I know both of those items, I still can't steal the passkey. Even if I enter your user name, and your email address, the passkey that is generated is only sent to YOUR email address. And I can't read your email. Stanford would not release a key system that just anyone could steal.

There is no spoon, er, no hole.

To clarify, the passkey is a hash value derived from the username + email adresse. To get the same passkey, you need the same username and email so it's impossible to steal it unless you happen to be able to access the email inbox yourself.