Home page logo
/

webappsec logo WebApp Sec mailing list archives

Re: "Forgot Password" function
From: "Kevin Spett" <kspett () spidynamics com>
Date: Fri, 18 Oct 2002 14:25:08 -0400

The problem with email is obviously that you put a password in plaintext,
which is no good.  If possible, consider going low tech.  Have them pick up
a phone to call someone and verify personal information to reset the
password.



Kevin Spett
SPI Labs
http://www.spidynamics.com/

----- Original Message -----
From: "Brecrost Jones" <brecrost () hotmail com>
To: <webappsec () securityfocus com>
Sent: Friday, October 18, 2002 1:31 PM
Subject: "Forgot Password" function


I'm looking for opinions on the most secure way to implement a "Forgot my
password" function for a website.  I know that having this feature is
probably an inherent security risk, but __assuming that it is a required
feature__ what would be the most secure way to implement it?

Is the "enter your email address and we'll mail you the password" the best
way to go?  As far as I can tell, it's the most common.  But I'm not sure
if
I'm comfortable sending the password in a clear text email message.

I don't really like the "secret question" method either, since if someone
can get the question, they may be able to guess the answer.

Are there other methods out there?  Has anyone come up with a novel
solution
that is more secure?

Thanks for any input.


_________________________________________________________________
Get faster connections -- switch to MSN Internet Access!
http://resourcecenter.msn.com/access/plans/default.asp




  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault