Home page logo

webappsec logo WebApp Sec mailing list archives

RE: "Forgot Password" function
From: "William Bartholomew" <william () orlitech com au>
Date: Mon, 21 Oct 2002 06:54:10 +1000

The simple solution to this problem is to actually generate a new
password for the user and email them that instead and force them to
change it on the first login. That achieves a few security goals:

1. The password does not need to be stored in clear-text.

2. The emailed password is only useful for one login.

3. If the user tries to login with the password they were emailed and it
doesn't work they can assume someone else is accessing their account.


William Bartholomew
Internet Developer
Orli-TECH Pty Ltd
"Your Innovative e-Business Partner"

Web:   http://www.orlitech.com.au
Email: william () orlitech com au
Phone: +61 7 3292 0220
Fax:   +61 7 3292 0221

Visit our online store http://www.instantit.com.au

This electronic communication (including any attached files) may contain
confidential and/or legally privileged information and is only intended
for the viewing purposes of the person to whom it is addressed. If you
are not the intended recipient, you do not have permission to read, use,
disseminate, distribute, copy or retain any part of this communication
or its attachments in any form. If you receive this email in error,
please contact us on +61 7 3292 0222 or by email and delete all copies. 

-----Original Message-----
From: David Bullock [mailto:davidbullock () tech-center com]
Sent: Saturday, 19 October 2002 4:09 AM
To: Brecrost Jones; webappsec () securityfocus com
Subject: Re: "Forgot Password" function

You can also mail a link with a secured hash to their email address,
them to enter a new password.

Emailing them the password not only as the risk of sending the
password in
the clear, you also have to store it in the clear, and that carries


----- Original Message -----
From: "Brecrost Jones" <brecrost () hotmail com>
To: <webappsec () securityfocus com>
Sent: Friday, October 18, 2002 10:31 AM
Subject: "Forgot Password" function

I'm looking for opinions on the most secure way to implement a "Forgot
password" function for a website.  I know that having this feature is
probably an inherent security risk, but __assuming that it is a
feature__ what would be the most secure way to implement it?

Is the "enter your email address and we'll mail you the password" the
way to go?  As far as I can tell, it's the most common.  But I'm not
I'm comfortable sending the password in a clear text email message.

I don't really like the "secret question" method either, since if
can get the question, they may be able to guess the answer.

Are there other methods out there?  Has anyone come up with a novel
that is more secure?

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]