WebApp Sec mailing list archives
RE: "Forgot Password" function
From: "William Bartholomew" <william () orlitech com au>
Date: Mon, 21 Oct 2002 06:54:10 +1000
The simple solution to this problem is to actually generate a new password for the user and email them that instead and force them to change it on the first login. That achieves a few security goals: 1. The password does not need to be stored in clear-text. 2. The emailed password is only useful for one login. 3. If the user tries to login with the password they were emailed and it doesn't work they can assume someone else is accessing their account. Regards, William Bartholomew Internet Developer Orli-TECH Pty Ltd "Your Innovative e-Business Partner" Web: http://www.orlitech.com.au Email: william () orlitech com au Phone: +61 7 3292 0220 Fax: +61 7 3292 0221 Visit our online store http://www.instantit.com.au This electronic communication (including any attached files) may contain confidential and/or legally privileged information and is only intended for the viewing purposes of the person to whom it is addressed. If you are not the intended recipient, you do not have permission to read, use, disseminate, distribute, copy or retain any part of this communication or its attachments in any form. If you receive this email in error, please contact us on +61 7 3292 0222 or by email and delete all copies.
-----Original Message----- From: David Bullock [mailto:davidbullock () tech-center com] Sent: Saturday, 19 October 2002 4:09 AM To: Brecrost Jones; webappsec () securityfocus com Subject: Re: "Forgot Password" function You can also mail a link with a secured hash to their email address,
for
them to enter a new password. Emailing them the password not only as the risk of sending the
password in
the clear, you also have to store it in the clear, and that carries
it's
own risks. Dave ----- Original Message ----- From: "Brecrost Jones" <brecrost () hotmail com> To: <webappsec () securityfocus com> Sent: Friday, October 18, 2002 10:31 AM Subject: "Forgot Password" function I'm looking for opinions on the most secure way to implement a "Forgot
my
password" function for a website. I know that having this feature is probably an inherent security risk, but __assuming that it is a
required
feature__ what would be the most secure way to implement it? Is the "enter your email address and we'll mail you the password" the
best
way to go? As far as I can tell, it's the most common. But I'm not
sure
if I'm comfortable sending the password in a clear text email message. I don't really like the "secret question" method either, since if
someone
can get the question, they may be able to guess the answer. Are there other methods out there? Has anyone come up with a novel solution that is more secure?
Current thread:
- Re: "Forgot Password" function, (continued)
- Re: "Forgot Password" function Chris Shepherd (Oct 18)
- Re: "Forgot Password" function Kevin Spett (Oct 18)
- Re: "Forgot Password" function Mark Curphey (Oct 18)
- Re: "Forgot Password" function Kevin Spett (Oct 18)
- Re: "Forgot Password" function Brecrost Jones (Oct 18)
- Password Recovery (long) was Re: "Forgot Password" function Charles Miller (Oct 19)
- Re: Password Recovery (long) was Re: "Forgot Password" function Sverre H. Huseby (Oct 19)
- Re: Password Recovery (long) was Re: "Forgot Password" function Charles Miller (Oct 19)
- Password Recovery (long) was Re: "Forgot Password" function Charles Miller (Oct 19)
- RE: "Forgot Password" function wsmith (Oct 18)
- RE: "Forgot Password" function Matthew_Chalmers (Oct 19)
- RE: "Forgot Password" function William Bartholomew (Oct 20)
- Re: "Forgot Password" function Kevin Spett (Oct 20)