Well written and researched article. Points out a lot of vulnerabilities with excellent examples....

[ more ]  [ reply ]

For a system that uses user-defined usernames, when the username they first try is taken, then what would be an alternative to sequential usernames suggested to the user by the app? Just keep making the user try different usernames until they find one that isn't taken? Suggest a username to them tha...

[ more ]  [ reply ]

I am wondering how it is safer to reset the password and e-mail a user a lin back to the site than to mail a new (temp) password. If mail is intercepted, than both ways will have the same risk in my opinion? Or am I missing something?...

[ more ]  [ reply ]