Re: "Forgot Password" function

["Brecrost Jones" <brecrost () hotmail com>]

Kevin Spett wrote:
> I'd like to remind everyone that unencrypted email offers no authentication
> or privacy.  There is no protection against MITM attacks.  Consider the
> following scenario:
>
> An, evil, mean, no-good hacker breaks into a mailserver.
> In an atrocious display of lack of respect for personal privacy, said 
> hacker
> proceeds to peruse the mailserver's users' e-mail.
> This hacker sees a newsletter, account registration confirmation, order
> reciept, etc. from an online retailer, service, etc.
> The hacker uses the information in the email, which may or may not contain
> actual username, to go to the site and uses the handy dandy "I forgot my
> password, please email it to me" application..
> The server complies with this request and emails the account holder a new
> password, or a link to where the new password can be obtained, or a clever
> riddle whose answer is the new password, or whatever.  Choose your method 
> of
> delivery.
> The hacker, from his bedroom in a suburban California neighborhood, reads
> the password, vists the link, solves the riddle, etc.  Since he or she (I'd
> like to give a shout out to all the lady hackers out there, keeping it real
> no doubt) has control of the mailserver, the hacker then makes sure that 
> the
> email never reaches the actual account holder.
> The hacker abuses the account in each and every last way possible, leaving
> no options for exploitation unexplored.
> The actual account holder recieves a Mastercard statement for thousands of
> dollars in goods he or she did not purchase and a visit from the Department
> of Homeland Security who demand to know why that person attempted to
> purchase maps of burglarly tools, weapons and controlled substances.  What
> else do you do with stolen credit card numbers?
>
> Does this sound amazingly theoretical to anyone? It's not.  This kind of
> thing happens each and every day in deep, dark dungeons of cyberspace.  The
> only good solution is complete re-authentication of the account holder.  
> The
> local cable company in my area does this.  If you lose your password to the
> bill paying application, you must enter all of your personal information
> (DOB, CC#, exp. date, address, etc.) again to get a new password.  If 
> you've
> got a problem with that, you have to call their "customer service
> professionals" and explain your case.


First off, thanks to everyone for their responses!

The above outlines perfectly the issue I am worried about, and that is the 
inherent insecurity of any email-based solution.  Unfortunately, I did not 
express this very well in my original post.  I originally stated that I was 
concerned about sending the password in plain text, which was a mistake for 
two reasons:  One, I didn't even consider that I don't have access to the 
plaintext password (I am storing it in the database as an SHA-1 digest), and 
Two, my actual concern is that the email itself is plain text, so no matter 
what the contents of the email (plaintext password, link to secure page 
allowing password change, etc.), if someone intercepts that email, they can 
gain access to the account (right?).

So I guess what I was looking for is something that does not use email at 
all, and something that doesn't rely on a "secret question".  So maybe the 
solution is as mentioned above: several "secret questions" (i.e. essentially 
re-entering all or most of the account information), or the low-tech "give 
us a call" method.  I'm afraid that both of those solutions may be 
considered too inconvenient for the user by my project managers, but I 
suppose that is all too often the issue with security-related questions, the 
tradeoff between convenience and security.

Thanks again for all suggestions.




_________________________________________________________________
Protect your PC - get McAfee.com VirusScan Online 
http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963