Home page logo
/

basics logo Security Basics mailing list archives

Re: How secure is Email based password reset?
From: Brian Eckman <eckman () umn edu>
Date: Thu, 08 May 2003 12:22:01 -0500

I'm assuming this is a password reset for a Web site?

I guess I disagree with most people. I think the method that you outline is reasonable for most uses. I think your assumptions are reasonable ones. If this is for online banking or something similar, then other precautions should be included, such as the suggestion I list below.

Obviously, only send the E-mail to their registered E-mail address, don't let them provide one now. Also, it must be enforced that the temporary password can be used exactly once.

Something you could consider:

Use SSL on the password reset request Web page. Have it display a random passphrase that must be entered for the user to reset their password. E-mail them a customized URL to reset their password on. This page (also SSL encrypted) should be configured to only be accessible once. Users must enter the passphrase they were given, as well as choose their new password, which is not E-mailed to them. Allow 0-2 failures of the passphrase before expiring the custom URL.

It doesn't really have to be a custom URL, as long as your server can identify the correct passphrase issued to that account.

If SSL is not used during authentication, then all of this is pointless, since the password is sent along cleartext anyway. Your described method would be acceptible if SSL is never used.

Brian


Shekhar Jha wrote:
One of the ways to implement the password reset is to
1. Ask the personal question
2. if correctly answered, generates a unique temporary password
3. Send the password over email to user.
4. This would allow user to login once.

My query is regarding sending the password over email to user. How secure is
it? Given that,
1. The Server would be delivering the password email to an Internet Service
Provider.
2. The user would typically be online waiting for the password emal to
arrive.
3. The password would be invalid after the first use.
How valid are these assumptions?

Any other pointers about different way of re-setting the password would be
helpful.


--
Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota
612-626-7737

"There are 10 types of people in this world. Those who
understand binary and those who don't."


---------------------------------------------------------------------------
FastTrain has your solution for a great CISSP Boot Camp. The industry's most recognized corporate security certification track, provides a comprehensive prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes lectures, case studies and true hands-on utilization of pertinent security tools. For a limited time you can enter for a chance to win one of the latest technological innovations, the SEGWAY HT. Log onto http://www.securityfocus.com/FastTrain-security-basics ----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]