Re: How secure is Email based password reset?

[Martchukov Anton <vhlist () yandex ru>]

Wednesday, May 7, 2003, 6:18:56 PM, you wrote:

SJ> One of the ways to implement the password reset is to
SJ> 1. Ask the personal question
SJ> 2. if correctly answered, generates a unique temporary password
SJ> 3. Send the password over email to user.
SJ> 4. This would allow user to login once.

You'd better force user to change password manually after answering
instead of transferring a plain text password. If it's necessary to
validate user's e-mail, you may generate random page URL and send it to
user. When user goes there, he will be able to change password, after
right answer of cause. Maybe it's more secure?

-- 
Best regards,
 Martchukov Anton aka vh                    mailto:vhlist () yandex ru


---------------------------------------------------------------------------
FastTrain has your solution for a great CISSP Boot Camp. The industry's most 
recognized corporate security certification track, provides a comprehensive 
prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes lectures, case 
studies and true hands-on utilization 
of pertinent security tools. For a limited time you can enter for a chance 
to win one of the latest technological innovations, the SEGWAY HT. 
Log onto http://www.securityfocus.com/FastTrain-security-basics 
----------------------------------------------------------------------------