W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2020

Re: Migrating "A Well-Known URL for Changing Passwords" to WebAppSec from WICG

From: Theresa O'Connor <hober@apple.com>
Date: Wed, 06 May 2020 06:38:13 -0700
To: public-webappsec@w3.org
Message-id: <m27dxpyyii.fsf@toconnor-imac-18-3.lan>
Hi,

> I do wonder if we should (non-normatively) mention the concern that
> having a well-known password change url could be used for nefarious
> purposes (e.g. sending a lot of emails, denial of service if there’s a
> rate limit on password changes, authentication attacks against
> security questions, etc.).

I've filed https://github.com/WICG/change-password-url/issues/19 to
track adding this.


Thanks,
Tess
Received on Wednesday, 6 May 2020 13:38:28 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 6 May 2020 13:38:28 UTC