Home page logo

webappsec logo WebApp Sec mailing list archives

Re: "Forgot Password" function
From: Mark Curphey <mark () curphey com>
Date: Fri, 18 Oct 2002 11:17:49 -0700 (PST)

Page 20 of the OWASP Guide has some advice on this.


---- Brecrost Jones <brecrost () hotmail com> wrote:
I'm looking for opinions on the most secure way to 
implement a "Forgot my 
password" function for a website.  I know that 
having this feature is 
probably an inherent security risk, but __assuming 
that it is a required 
feature__ what would be the most secure way to 
implement it?

Is the "enter your email address and we'll mail 
you the password" the best 
way to go?  As far as I can tell, it's the most 
common.  But I'm not sure if 
I'm comfortable sending the password in a clear 
text email message.

I don't really like the "secret question" method 
either, since if someone 
can get the question, they may be able to guess 
the answer.

Are there other methods out there?  Has anyone 
come up with a novel solution 
that is more secure?

Thanks for any input.

Get faster connections -- switch to MSN Internet 


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]