Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: RE: "Forgot Password" function

RE: "Forgot Password" function

From: <wsmith_at_icsalabs.com>
Date: Fri, 18 Oct 2002 16:15:46 -0400

I have come across some sites that do this rather well. One way that I
really
like provides the user with a Forgot Password page and function allowing for

re-authentication to the application. This process does not send in email
or
present the forgotten password to the user. Instead, the Forgot Password
process
validates the requied account information, which was set during inititial
account
creation (city of birth, mother's maiden name, two secret qustions), before
allowing a new
password to be created/stored, and presenting the user with the Login page
for authentication.
  
As a precaution, the application was configured to notify the accountholder
of
any changes to user-configurable information (which may occur through the
application,
by either the user or support personnel), including password changes, via an
email message.
This message, sent to the address of the accountholder, provides a generic
notification
as to the type of change, how the change occurred, when it occurred, but
does not
include any sensitive account information. As an extra precaution, the
accountholder
cannot change their email address via the application, but rather, must
contact the
appropriate support personnel, who perform proper account validation, before
changing
the address. This way the accountholder will be informed of changes to
their account
and can report any suspicious activity. Additionally, the user gets three
failed attempts
at resetting their password before the account is permanently locked out,
requiring
the user to contact the support personel to unlock the account.
 
Hope this helps

--Bill Smith

-----Original Message-----
From: Brecrost Jones [mailto:brecrost_at_hotmail.com]
Sent: Friday, October 18, 2002 1:32 PM
To: webappsec_at_securityfocus.com
Subject: "Forgot Password" function

I'm looking for opinions on the most secure way to implement a "Forgot my
password" function for a website. I know that having this feature is
probably an inherent security risk, but __assuming that it is a required
feature__ what would be the most secure way to implement it?

Is the "enter your email address and we'll mail you the password" the best
way to go? As far as I can tell, it's the most common. But I'm not sure if

I'm comfortable sending the password in a clear text email message.

I don't really like the "secret question" method either, since if someone
can get the question, they may be able to guess the answer.

Are there other methods out there? Has anyone come up with a novel solution

that is more secure?

Thanks for any input.

_________________________________________________________________
Get faster connections -- switch to MSN Internet Access!
http://resourcecenter.msn.com/access/plans/default.asp

***********************************************************************
This message is intended only for the use of the intended recipient and
may contain information that is PRIVILEGED and/or CONFIDENTIAL. If you
are not the intended recipient, you are hereby notified that any use,
dissemination, disclosure or copying of this communication is strictly
prohibited. If you have received this communication in error, please
destroy all copies of this message and its attachments and notify us
immediately.
***********************************************************************
Received on Oct 19 2002

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos