RE: How secure is Email based password reset?

["Nick Owen" <nowen () wikidsystems com>]

I think what you will find is that it's not secure, but it may not matter.
Many sites (especially developer programs, I find) allow for a new password
to be sent to the e-mail address entered upon account creation.  It makes
for a pretty trivial man-in-the middle attack, but in the end they don't
care because you only register so they can track you not for security.

Some companies sell systems that send the passcode via SMS to a cell phone,
which is essentially e-mail over cellular channel prone to the same risks.
I can't see the value in buying something to do that when any programmer
could whip up something similar in no time.  The cellular companies do that
here (u.s.) and it makes sense because no one is going to break in to a
system to pay someone else's phone bill.

I would be careful about what you ask as the 'secret question' as well.  In
the US, companies are increasingly under pressure to protect non-public
personal information  (HIPAA, GLB, etc), so you don't want to ask for SSN,
mother's maiden name, etc.

Depending your target market, there may not be many people who have public
keys to send you. If they do, then you've got a solution.

Having the passcode valid lifetime be short doesn't affect the security as
the attacker may have requested the passcode and is waiting for it, not
necessarily the user.

-----Original Message-----
From: Shekhar Jha [mailto:shekhar-jha () usa net]
Sent: Wednesday, May 07, 2003 10:19 AM
To: security-basics () securityfocus com
Subject: How secure is Email based password reset?


One of the ways to implement the password reset is to
1. Ask the personal question
2. if correctly answered, generates a unique temporary password
3. Send the password over email to user.
4. This would allow user to login once.

My query is regarding sending the password over email to user. How secure is
it? Given that,
1. The Server would be delivering the password email to an Internet Service
Provider.
2. The user would typically be online waiting for the password emal to
arrive.
3. The password would be invalid after the first use.
How valid are these assumptions?

Any other pointers about different way of re-setting the password would be
helpful.



---------------------------------------------------------------------------
FastTrain has your solution for a great CISSP Boot Camp. The industry's most
recognized corporate security certification track, provides a comprehensive
prospectus based upon the core principle concepts of security. This ALL
INCLUSIVE curriculum utilizes lectures, case studies and true hands-on
utilization
of pertinent security tools. For a limited time you can enter for a chance
to win one of the latest technological innovations, the SEGWAY HT.
Log onto http://www.securityfocus.com/FastTrain-security-basics
----------------------------------------------------------------------------


---------------------------------------------------------------------------
FastTrain has your solution for a great CISSP Boot Camp. The industry's most 
recognized corporate security certification track, provides a comprehensive 
prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes lectures, case 
studies and true hands-on utilization 
of pertinent security tools. For a limited time you can enter for a chance 
to win one of the latest technological innovations, the SEGWAY HT. 
Log onto http://www.securityfocus.com/FastTrain-security-basics 
----------------------------------------------------------------------------