Linode Forum
Linode Community Forums 		 FAQFAQ    SearchSearch    MembersMembers      Register Register 
 LoginLogin [ Anonymous ] 
Post new topic  Reply to topic

Board index » Linux Community Forums » General Discussion
  Previous topic | Next topic 
Author Message
Dweeber
PostPosted: Tue Jan 05, 2016 9:32 pm 
Offline
Senior Member
User avatar

Joined: Thu Nov 24, 2011 12:46 pm
Posts: 139
Location: Mesa AZ
https://blog.linode.com/2016/01/05/secu ... ord-reset/

Funny, I actually read this first on Slashdot 2-3 hours after the above blog post.

Really would have expected an Email security notice from Linode on this.

_________________
Kevin a.k.a. Dweeber
Top
   
Reply with quote  
mnordhoff
PostPosted: Wed Jan 06, 2016 1:15 am 
Offline
Senior Member

Joined: Sat May 03, 2008 4:01 pm
Posts: 569
Website: http://www.mattnordhoff.com/
Dweeber wrote:
Really would have expected an Email security notice from Linode on this.

They are, but publishing a blog post is faster than sending hundreds of thousands of emails. They're doing both at the same time.

Last time they had to do an email blast, they used a third-party mail company and people complained that it looked like a phishing attempt. >_<

_________________
Matt Nordhoff (aka Peng on IRC)
Top
   
Reply with quote  
mwchase
PostPosted: Wed Jan 06, 2016 8:14 am 
Offline
Senior Newbie

Joined: Sat Aug 15, 2015 4:53 pm
Posts: 8
I saw the reset announcement on the status page since I was checking it fairly regularly due to the the DDoS attack.

However, I think their password reset mechanism has something to be desired. Upon logging in with my old password, I just got a form asking me to enter the new password. That is terribly insecure! I should have been emailed a unique reset URL with an expiring key, to then use to reset my password. As it was, if someone *did* have my password, all they would have to do is login, change my password, and I'd be locked out!
Top
   
Reply with quote  
mnordhoff
PostPosted: Wed Jan 06, 2016 8:17 am 
Offline
Senior Member

Joined: Sat May 03, 2008 4:01 pm
Posts: 569
Website: http://www.mattnordhoff.com/
I concur. Either this is a terrible plan, or they have confidence that most users are not actually in danger.

_________________
Matt Nordhoff (aka Peng on IRC)
Top
   
Reply with quote  
nqservices
PostPosted: Wed Jan 06, 2016 7:30 pm 
Offline
Newbie

Joined: Sun Jan 03, 2016 8:24 pm
Posts: 2
mwchase wrote:
However, I think their password reset mechanism has something to be desired. Upon logging in with my old password, I just got a form asking me to enter the new password. That is terribly insecure! I should have been emailed a unique reset URL with an expiring key, to then use to reset my password. As it was, if someone *did* have my password, all they would have to do is login, change my password, and I'd be locked out!


I agree. This is terribly insecure!!

Shame on Linode.. You guys can do better!
Top
   
Reply with quote  
Display posts from previous:  Sort by  
Post new topic  Reply to topic

Board index » Linux Community Forums » General Discussion


Who is online

Users browsing this forum: No registered users and 2 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
RSS

Powered by phpBB® Forum Software © phpBB Group