RE: "Forgot Password" function

["William Bartholomew" <william () orlitech com au>]

The simple solution to this problem is to actually generate a new
password for the user and email them that instead and force them to
change it on the first login. That achieves a few security goals:

1. The password does not need to be stored in clear-text.

2. The emailed password is only useful for one login.

3. If the user tries to login with the password they were emailed and it
doesn't work they can assume someone else is accessing their account.


Regards,

William Bartholomew
Internet Developer
Orli-TECH Pty Ltd
"Your Innovative e-Business Partner"

Web:   http://www.orlitech.com.au
Email: william () orlitech com au
Phone: +61 7 3292 0220
Fax:   +61 7 3292 0221

Visit our online store http://www.instantit.com.au

This electronic communication (including any attached files) may contain
confidential and/or legally privileged information and is only intended
for the viewing purposes of the person to whom it is addressed. If you
are not the intended recipient, you do not have permission to read, use,
disseminate, distribute, copy or retain any part of this communication
or its attachments in any form. If you receive this email in error,
please contact us on +61 7 3292 0222 or by email and delete all copies. 

> -----Original Message-----
> From: David Bullock [mailto:davidbullock () tech-center com]
> Sent: Saturday, 19 October 2002 4:09 AM
> To: Brecrost Jones; webappsec () securityfocus com
> Subject: Re: "Forgot Password" function
>
> You can also mail a link with a secured hash to their email address,
for
> them to enter a new password.
>
> Emailing them the password not only as the risk of sending the
password in
> the clear, you also have to store it in the clear, and that carries
it's
> own
> risks.
>
> Dave
>
> ----- Original Message -----
> From: "Brecrost Jones" <brecrost () hotmail com>
> To: <webappsec () securityfocus com>
> Sent: Friday, October 18, 2002 10:31 AM
> Subject: "Forgot Password" function
>
>
> I'm looking for opinions on the most secure way to implement a "Forgot
my
> password" function for a website.  I know that having this feature is
> probably an inherent security risk, but __assuming that it is a
required
> feature__ what would be the most secure way to implement it?
>
> Is the "enter your email address and we'll mail you the password" the
best
> way to go?  As far as I can tell, it's the most common.  But I'm not
sure
> if
> I'm comfortable sending the password in a clear text email message.
>
> I don't really like the "secret question" method either, since if
someone
> can get the question, they may be able to guess the answer.
>
> Are there other methods out there?  Has anyone come up with a novel
> solution
> that is more secure?