Home page logo
/

basics logo Security Basics mailing list archives

Re: How secure is Email based password reset?
From: "brien mac" <aph3x () linuxmail org>
Date: Thu, 08 May 2003 01:44:03 -0400

When the user initially signs up for the service (or whatever it is you're providing), require that the user provide 
their public key. After authenticating the user with the secret question/answer, email the user their temporary 
password encrypted with their public key. You could also place a "timeout" on the temporary password. If the user does 
not login within a specified period of time, 5 minutes perhaps, the temporary password "expires" and is no longer 
valid, forcing the user to repeat the process. Additionally, you could temporarily disable the account after a 
predefined amount of failed retrievals attempts.

Just a few ideas, hope they help...

One of the ways to implement the password reset is to
1. Ask the personal question
2. if correctly answered, generates a unique temporary password
3. Send the password over email to user.
4. This would allow user to login once.

My query is regarding sending the password over email to user. How secure is
it? Given that,
1. The Server would be delivering the password email to an Internet Service
Provider.
2. The user would typically be online waiting for the password emal to
arrive.
3. The password would be invalid after the first use.
How valid are these assumptions?

Any other pointers about different way of re-setting the password would be
helpful.

-- 
______________________________________________
http://www.linuxmail.org/
Now with e-mail forwarding for only US$5.95/yr

Powered by Outblaze

---------------------------------------------------------------------------
FastTrain has your solution for a great CISSP Boot Camp. The industry's most 
recognized corporate security certification track, provides a comprehensive 
prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes lectures, case 
studies and true hands-on utilization 
of pertinent security tools. For a limited time you can enter for a chance 
to win one of the latest technological innovations, the SEGWAY HT. 
Log onto http://www.securityfocus.com/FastTrain-security-basics 
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault