mailing list archives
Re: "Forgot Password" function
From: Mark Curphey <mark () curphey com>
Date: Fri, 18 Oct 2002 11:17:49 -0700 (PST)
Page 20 of the OWASP Guide has some advice on this.
---- Brecrost Jones <brecrost () hotmail com> wrote:
I'm looking for opinions on the most secure way to
implement a "Forgot my
password" function for a website. I know that
having this feature is
probably an inherent security risk, but __assuming
that it is a required
feature__ what would be the most secure way to
Is the "enter your email address and we'll mail
you the password" the best
way to go? As far as I can tell, it's the most
common. But I'm not sure if
I'm comfortable sending the password in a clear
text email message.
I don't really like the "secret question" method
either, since if someone
can get the question, they may be able to guess
Are there other methods out there? Has anyone
come up with a novel solution
that is more secure?
Thanks for any input.
Get faster connections -- switch to MSN Internet