Home page logo

webappsec logo WebApp Sec mailing list archives

Re: "Forgot Password" function
From: Chris Shepherd <chriss () whstuart com>
Date: Fri, 18 Oct 2002 14:32:31 -0400

Quoting Brecrost Jones <brecrost () hotmail com>:
Is the "enter your email address and we'll mail you the password" the best 
way to go?  As far as I can tell, it's the most common.  But I'm not sure if

I'm comfortable sending the password in a clear text email message.

I don't really like the "secret question" method either, since if someone 
can get the question, they may be able to guess the answer.

Are there other methods out there?  Has anyone come up with a novel solution
that is more secure?

Since I encrypt all my passwords with MD5, and I record email addresses with 
each password, I simply have the "forgot password" link ask them for their user 
id. Then, the following steps would happen:

1. Script retrieves the MD5'ed password from the database.
2. Script gets another MD5 hash of the password, and adds that into an email.
3. Email is sent out to the email address on file containing a link to a script 
(with the Hash of the hashed PW in the query string) that will compare the hash 
in the email to the hash of the current MD5'ed password in the database.
4. If the two match, the user would be prompted to change their password. If 
not, it would get logged for an administrator to browse.

The reason I would hash the hash (as it were), is so that the hashed password 
doesn't get sent in the email. The reason for this is that if an attacker had a 
copy of the hash, they could attempt to bruteforce it. This way, they would 
have to bruteforce the 32-bit MD5 string to get a hit, and then they would have 
to go and bruteforce the MD5 string to get the hit. Considering MD5's are 32 
characters, the number of combinations alone (17^32, if I'm not mistaken) would 
be enough of a preventative meausure, and that's assuming the attacker knows 
you are using this technique. 

Essentially this is just generating a key and emailing it to the 'trusted' user.
You can even have a form for it that would require they copy and paste it into 
an email and say, add the first three characters of their name to it or 
something. At any rate, it would be a little more secure than passing the raw 
password in plaintext, and also allows you to keep the passwords in your 
database MD5'ed.

Just a thought. 

Chris Shepherd
This email may contain confidential information. Use of any such information
is strictly prohibited without express written consent of the sender

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]