Home page logo
/

basics logo Security Basics mailing list archives

Re: How secure is Email based password reset?
From: "S. Rohit" <s.rohit () usa net>
Date: Fri, 9 May 2003 01:00:42 +0800

hi...

    is it really necessary to use email as password distribution mechanism?
are u allowed to consider options like pin mailer by registered post which
are generally considered as more secure password delivery option. Because to
secure the password delivery process using email, u need to be able to
encrypt the email itself like kevin has pointed out below. This will lead to
a lot of key management and key life cycle issues for the system.

rohit

----- Original Message ----- 
From: "Kevin Saenz" <ksaenz () spinaweb com au>
To: "Shekhar Jha" <shekhar-jha () usa net>
Cc: <security-basics () securityfocus com>
Sent: Thursday, May 08, 2003 7:56 AM
Subject: Re: How secure is Email based password reset?


the problem with email is that you are send messages using
plain text. if a would be cracker was sniffing your out bound
port then you might have a problem with sending passwords
through emails.

could you give your client's pgp or similar keys and
encrypt emails if it contains passwords?

One of the ways to implement the password reset is to
1. Ask the personal question
2. if correctly answered, generates a unique temporary password
3. Send the password over email to user.
What if the user says I won't be able to check the email at that
address till the end of day but could you please send it to
blah () hotmail com?

4. This would allow user to login once.

My query is regarding sending the password over email to user. How
secure is
it? Given that,
1. The Server would be delivering the password email to an Internet
Service
Provider.
2. The user would typically be online waiting for the password emal to
arrive.
3. The password would be invalid after the first use.
How valid are these assumptions?

Any other pointers about different way of re-setting the password would
be
helpful.




--------------------------------------------------------------------------
-
FastTrain has your solution for a great CISSP Boot Camp. The industry's
most
recognized corporate security certification track, provides a
comprehensive
prospectus based upon the core principle concepts of security. This ALL
INCLUSIVE curriculum utilizes lectures, case studies and true hands-on
utilization
of pertinent security tools. For a limited time you can enter for a
chance
to win one of the latest technological innovations, the SEGWAY HT.
Log onto http://www.securityfocus.com/FastTrain-security-basics

--------------------------------------------------------------------------
--
-- 
Regards,

Kevin Saenz

Spinaweb
Your one stop shop for I.T solutions.

Ph: 02 4620 5130
Fax: 02 4625 9243
Mobile: 0418455661
Web: http://www.spinaweb.com.au


--------------------------------------------------------------------------
-
FastTrain has your solution for a great CISSP Boot Camp. The industry's
most
recognized corporate security certification track, provides a
comprehensive
prospectus based upon the core principle concepts of security. This ALL
INCLUSIVE curriculum utilizes lectures, case studies and true hands-on
utilization
of pertinent security tools. For a limited time you can enter for a chance
to win one of the latest technological innovations, the SEGWAY HT.
Log onto http://www.securityfocus.com/FastTrain-security-basics
--------------------------------------------------------------------------
--





---------------------------------------------------------------------------
FastTrain has your solution for a great CISSP Boot Camp. The industry's most 
recognized corporate security certification track, provides a comprehensive 
prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes lectures, case 
studies and true hands-on utilization 
of pertinent security tools. For a limited time you can enter for a chance 
to win one of the latest technological innovations, the SEGWAY HT. 
Log onto http://www.securityfocus.com/FastTrain-security-basics 
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault