But how does one handle password resets without resorting in one form or another to sending some info in plain text to users?
At least one website on the current front page is there because it sent a temporary password in plain text. I assume this happened because the user forgot his password. This says nothing about how they store passwords and after all how else would you handle a password reset? Send a password reset link? That's the same thing.
Sending passwords in plaintext back to the user after he has set/changed his password is clearly a security risk but when it comes to temporary passwords or password resets how else would that info be sent?
You should be sending a token and/or reset link which will allow the user to choose a new password.
This is much better than just sending a new password because:
* It can have a TTL.
* The user has to change it, they can't just keep using the plaintext one forever.
* You can perform some kind of verification, was the request for a new password sent from the same country/IP/device as the person generating a new password.
But can't you implement all three with a temporary password as well? Make the password valid for 24 hours only and when the user logs in with their temporary password perform any kind of extra verification and if that's passed then also force the user to change their password. Seems like the same thing.
The website I noticed on the front page (sunsuper.com.au) was doing precisely this (although their TTL was 90 days which is indeed far too long and it's impossible to tell whether they forced a password reset or simply recommended a password change).
Yes, but using a token is better for usability and trust since that wont make it possible to lock out other users by clicking the forgot password link, and I as a user will think it is more likely someone doing token based resets has done security correctly.
I built a small chrome extension that provides this functionality. Next to your name, the extension adds a mail icon that lights up whenever someone replies to one of your messages. It then takes you to a 'cleaned up' threads page that only shows new messages. Doesn't work for submissions though. https://chrome.google.com/webstore/detail/notifications-for-...
After reading all of Paul Ekman's books, watching all episodes of Lie to Me, and reading various other pop-science books, articles, posts, and so on, all on body language and lie detection, the only honest conclusion I could reach was that if you really want to know if someone's lying you better know the truth beforehand.
Though there is some science to the method, it ultimately relies on very complex combinations of all sorts of hints, clues, behaviors, all very ambiguous and hard to put to together. Applying this method to regular social interactions is even harder because you rarely get any feedback. You might determine that one person is lying but you might never get the chance to truly confirm your assessment. It's really hard to figure out what works and what doesn't.
You might have a chance at improving if you're a detective (maybe lawyer?) and get to often interview people, ask questions and immediately (or at least at some point) get feedback on whether your truthfulness assessment was right or not but if you're just some regular person who has ordinary social interactions it's much harder to become a human lie detector.
I read once that experienced detectives are worse at telling lies than rookies. The article theorized that old-timey detectives get very confident on their intuition and experience, so they assume they are right on a hunch sooner than rookies. The latter, unexperienced as they are,look harder at the facts and are more humble about guessing right or wrong.
There is something dangerous in believing you have the key to knowing when someone is lying or not: if you are confident someone is lying you are more likely to disregard facts or evidence, to justify your hunch.
Criminal profilers might qualify as experts in court, saying someone "fits the profile", helping the state make a case, while their profiling could be totally wrong, as it was in the famous sniper case, where they went with the classic "middle aged caucasian" and the killer was black and with his son(?) as an accomplice.
Even worse when you go through TSA, where the justifiable hunches are almost certainly ethnically biased.
I respect law enforcements developed intuition to know "something might be happening", but would never take that as more than a football player thinking he will score the next goal.
>Criminal profilers might qualify as experts in court, saying someone "fits the profile", helping the state make a case, while their profiling could be totally wrong, as it was in the famous sniper case, where they went with the classic "middle aged caucasian" and the killer was black and with his son(?) as an accomplice.
What case is this? Also, is "middle ages caucasian" some kind of trope in police investigations? I wasn't aware it was…
"It was widely speculated that a single sniper, initially identified as a white man with assumed military experience, was using the Interstate 495 Capital Beltway for travel, possibly in a white van or truck. It was later learned that the rampage was perpetrated by John Allen Muhammad, and a minor, Lee Boyd Malvo, then aged 17 and originally from Jamaica, driving a blue 1990 Chevrolet Caprice sedan."
Ekman's outfit designed the TSA's Behavioral Detection Officer program, which cost several hundred million dollars. Which shows how much some people want to believe. The GAO here says it was implemented without any evidence it is effective: http://www.gpo.gov/fdsys/pkg/CHRG-112hhrg65053/html/CHRG-112...
After hearing about Ekman's work some time back I assumed somebody would come up with an app that would be able to analyze a video feed to spot the microexpressions. I guess it's just not that easy (or perhaps not reliable).
For someone who has not actually served in a role with training (like that which you describe) you are remarkably astute about the realities of catching liars.
It takes considerable planning and man hours to uncover a truth from an individual intent to keep it hidden, often involving stress, deprivation of some sort and considerable psychological manipulation.
Not even necessarily a lie, simply a truth they are obfuscating.
Since you are interested you could do worse than read the references behind this Quora answer.
In terms of actual techniques to solicit withheld information - there are generally accepted to be 16 techniques which preclude enhanced interrogation such as calorie restriction, sleep deprivation etc. Bear in mind, as stated elsewhere, law enforcement do not interrogate. The military and intelligence organisations interrogate.
You can research each one in detail.
Direct Approach ...(just simply ask)
Love of Comrades ...(this will help save their comrades...)
Hate of Comrades (...they LEFT you...)
Love of Family ...(your war is over, talk and you get to go home...)
Identity Accuse ...(you are a criminal aren't you!)
Silence ...(simply wait them out)
Good Cop / Bad Cop
We already know ...(so you might as well tell us and help yourself)
Non-stop ...(Question after Question after Question)
Confused ...(Pretending the liar is smarter than you and you need help)
Pride/Ego ...(Congratulating the liar/restoring his pride)
Pride/Ego ...(Destroying the ego of the liar for being caught)
Fear Up ...(Scaring the liar Jack Bauer style)
Fear Down ...(Allaying fears with words and gifts to build rapport)
Without Hope ...(Making the prisoner see he is without any options)
Incentive ...(providing the reward for cooperation)
The main website should incorporate more of this information though. Right now details are scattered around twitter feeds, multiple websites, semi updated pages and this thread (hn is probably the best source of info right now).
--------------------
Philosohpy
Letters from a Stoic: Epistulae Morales Ad Lucilium - Seneca
Meditations - Marcus Aurelius (must read)
The Republic - Plato
--------------------
History
Five Chimneys - Olga Lengyel
The Gulag Archipelago - Aleksandr Solzhenitsyn (must read)
The Diary of a Young Girl - Anne Frank
--------------------
Fiction
(particularly dystopian) 1984, Brave New World, Animal Farm, Fahrenheit 451
(crime/action) Child 44, The Secret Speech, Agent 6 - Tom Rob Smith
--------------------
Economics
Capital in the Twenty-First Century - Thomas Piketty
Poor Economics: A Radical Rethinking of the Way to Fight Global Poverty - Banerjee, Duflo
Why Nations Fail - Robinson
--------------------
Economics/Decision making/Psychology
Undercover Economist, Freakonomics, Nudge, Thinking Fast and Slow
--------------------
Random titles
The Selfish Gene, Self-Reliance, The Elements of Style (about writing), Slaughterhouse-Five
--------------------
Some links to inspire your reading (though you may want to checkout the websites first to get an idea of the topics they cover)
http://www.gatesnotes.com/Books
http://bookpickings.brainpickings.org/
http://www.farnamstreetblog.com/reading/
http://www.ryanholiday.net/reading-newsletter
I’m just a working-class guy trying to take part in the conversation that all the smart people are having. What books should I read? - http://www.farnamstreetblog.com/2013/03/im-just-a-working-cl...