The problem with email is obviously that you put a password in plaintext,
which is no good. If possible, consider going low tech. Have them pick up
a phone to call someone and verify personal information to reset the
password.
Kevin Spett
SPI Labs
http://www.spidynamics.com/
----- Original Message -----
From: "Brecrost Jones" <brecrost_at_hotmail.com>
To: <webappsec_at_securityfocus.com>
Sent: Friday, October 18, 2002 1:31 PM
Subject: "Forgot Password" function
> I'm looking for opinions on the most secure way to implement a "Forgot my
> password" function for a website. I know that having this feature is
> probably an inherent security risk, but __assuming that it is a required
> feature__ what would be the most secure way to implement it?
>
> Is the "enter your email address and we'll mail you the password" the best
> way to go? As far as I can tell, it's the most common. But I'm not sure
if
> I'm comfortable sending the password in a clear text email message.
>
> I don't really like the "secret question" method either, since if someone
> can get the question, they may be able to guess the answer.
>
> Are there other methods out there? Has anyone come up with a novel
solution
> that is more secure?
>
> Thanks for any input.
>
>
> _________________________________________________________________
> Get faster connections -- switch to MSN Internet Access!
> http://resourcecenter.msn.com/access/plans/default.asp
>
>
Received on Oct 18 2002
Intro
