Posted by Gordon Burditt on 12/18/95 11:45

>>>it is a deterrent. Also (probably with more bits in the random number)
>>>it is _essential_ where the user cannot be validated. For example
>>>"Thank you for your custom...To view the progress of your order go to
>>>www..../orders.php?OID=123454345434544"
>>
>>I don't think I'd feel comfortable implementing such a thing (if
>>it didn't require a login) if real money was involved. I'd worry
>>about putting any confidential information (e.g. an order) in
>>such a system also.
>
>Why?
>... IOD=123434343443 is a shared secret no different to a username and
>password. The 'must login' approach is (a) cumbersome for the user, (b)
>cumbersome for the sysadmin and (c) doesn't give any more security.

Because the ENTIRE shared secret needed for access is sent in a
single email. It is also likely that it will be recorded in browser
history (unlike web logins, where the logout procedure advises the
user to close the browser if it's a public system to get rid of
session cookies). Some browsers manage to leak browser history to
rogue sites using Javascript or Java. Ever notice how physical
credit cards and PINs are sent in DIFFERENT postal mails, usually
several days apart? There's a reason for that.

Yes, there is a difference in security.

Gordon L. Burditt

[Back to original message]