Home page logo

basics logo Security Basics mailing list archives

Re: How secure is Email based password reset?
From: Brian Eckman <eckman () umn edu>
Date: Fri, 09 May 2003 14:13:37 -0500

Comments within.

Martchukov Anton wrote:
Wednesday, May 7, 2003, 6:18:56 PM, you wrote:

SJ> One of the ways to implement the password reset is to
SJ> 1. Ask the personal question
SJ> 2. if correctly answered, generates a unique temporary password
SJ> 3. Send the password over email to user.
SJ> 4. This would allow user to login once.

You'd better force user to change password manually after answering
instead of transferring a plain text password.

Then all an attacker needs to do is guess the answer to the personal question. This is often easier than guessing the password itself, and almost always easier than sniffing the E-mail that would be generated.

> If it's necessary to validate user's e-mail, you may generate random
> page URL and send it to user. When user goes there, he will be able to
> change password, after
> right answer of cause. Maybe it's more secure?

The E-mailed random URL can be sniffed as easily as an E-mailed password.

Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota

"There are 10 types of people in this world. Those who
understand binary and those who don't."

FastTrain has your solution for a great CISSP Boot Camp. The industry's most recognized corporate security certification track, provides a comprehensive prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes lectures, case studies and true hands-on utilization of pertinent security tools. For a limited time you can enter for a chance to win one of the latest technological innovations, the SEGWAY HT. Log onto http://www.securityfocus.com/FastTrain-security-basics ----------------------------------------------------------------------------

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]