WebApp Sec mailing list archives
Re: "Forgot Password" function
From: "Kevin Spett" <kspett () spidynamics com>
Date: Sun, 20 Oct 2002 21:19:39 -0400
The simple solution to this problem is to actually generate a new password for the user and email them that instead and force them to change it on the first login. That achieves a few security goals:
This does nothing to defend against the scenario I wrote about earlier in this thread. You can read it here: http://archives.neohapsis.com/archives/sf/www-mobile/2002-q4/0020.html To reiterate, unencrypted email offers no garauntee of privacy or authenticity. Kevin Spett SPI Labs http://www.spidynamics.com/
Current thread:
- Re: "Forgot Password" function, (continued)
- Re: "Forgot Password" function Kevin Spett (Oct 18)
- Re: "Forgot Password" function Mark Curphey (Oct 18)
- Re: "Forgot Password" function Kevin Spett (Oct 18)
- Re: "Forgot Password" function Brecrost Jones (Oct 18)
- Password Recovery (long) was Re: "Forgot Password" function Charles Miller (Oct 19)
- Re: Password Recovery (long) was Re: "Forgot Password" function Sverre H. Huseby (Oct 19)
- Re: Password Recovery (long) was Re: "Forgot Password" function Charles Miller (Oct 19)
- Password Recovery (long) was Re: "Forgot Password" function Charles Miller (Oct 19)
- RE: "Forgot Password" function wsmith (Oct 18)
- RE: "Forgot Password" function Matthew_Chalmers (Oct 19)
- RE: "Forgot Password" function William Bartholomew (Oct 20)
- Re: "Forgot Password" function Kevin Spett (Oct 20)