WebApp Sec mailing list archives
Re: "Forgot Password" function
From: "Kevin Spett" <kspett () spidynamics com>
Date: Fri, 18 Oct 2002 15:52:15 -0400
Try the transport of the email itself is plaintext and in theory hijacking
is possible. Perhaps
tie the id to the ip addy of the person requesting it so that only the
person requesting the password
can view this link that times out after 1 use.
IP-based solutions have many problems because of NAT, user mobility, etc. that have been discussed on this list before so I'm nto going to rehash them. If an attacker has compromised a mailserver and knows a user has an account with a website, requesting a new password via email would make a lot of sense. Verification with other personal information is the way to go. Kevin Spett SPI Labs http://www.spidynamics.com/
Current thread:
- "Forgot Password" function Brecrost Jones (Oct 18)
- Re: "Forgot Password" function David Bullock (Oct 18)
- Re: "Forgot Password" function Kevin Spett (Oct 18)
- Re: "Forgot Password" function Haroon Meer (Oct 18)
- Re: "Forgot Password" function Jeroen Latour (Oct 18)
- Re: "Forgot Password" function Chris Shepherd (Oct 18)
- Re: "Forgot Password" function Kevin Spett (Oct 18)
- <Possible follow-ups>
- Re: "Forgot Password" function Mark Curphey (Oct 18)
- Re: "Forgot Password" function Kevin Spett (Oct 18)
- Re: "Forgot Password" function Brecrost Jones (Oct 18)
- Password Recovery (long) was Re: "Forgot Password" function Charles Miller (Oct 19)
- Re: Password Recovery (long) was Re: "Forgot Password" function Sverre H. Huseby (Oct 19)
- Re: Password Recovery (long) was Re: "Forgot Password" function Charles Miller (Oct 19)
- Password Recovery (long) was Re: "Forgot Password" function Charles Miller (Oct 19)
- RE: "Forgot Password" function wsmith (Oct 18)
- RE: "Forgot Password" function Matthew_Chalmers (Oct 19)
- RE: "Forgot Password" function William Bartholomew (Oct 20)
- Re: "Forgot Password" function Kevin Spett (Oct 20)