Re: How secure is Email based password reset?

["S. Rohit" <s.rohit () usa net>]

hi...

    is it really necessary to use email as password distribution mechanism?
are u allowed to consider options like pin mailer by registered post which
are generally considered as more secure password delivery option. Because to
secure the password delivery process using email, u need to be able to
encrypt the email itself like kevin has pointed out below. This will lead to
a lot of key management and key life cycle issues for the system.

rohit

----- Original Message ----- 
From: "Kevin Saenz" <ksaenz () spinaweb com au>
To: "Shekhar Jha" <shekhar-jha () usa net>
Cc: <security-basics () securityfocus com>
Sent: Thursday, May 08, 2003 7:56 AM
Subject: Re: How secure is Email based password reset?


> the problem with email is that you are send messages using
> plain text. if a would be cracker was sniffing your out bound
> port then you might have a problem with sending passwords
> through emails.
>
> could you give your client's pgp or similar keys and
> encrypt emails if it contains passwords?
>
> > One of the ways to implement the password reset is to
> > 1. Ask the personal question
> > 2. if correctly answered, generates a unique temporary password
> > 3. Send the password over email to user.
> What if the user says I won't be able to check the email at that
> address till the end of day but could you please send it to
> blah () hotmail com?
>
> > 4. This would allow user to login once.
> >
> > My query is regarding sending the password over email to user. How
secure is
> > it? Given that,
> > 1. The Server would be delivering the password email to an Internet
Service
> > Provider.
> > 2. The user would typically be online waiting for the password emal to
> > arrive.
> > 3. The password would be invalid after the first use.
> > How valid are these assumptions?
> >
> > Any other pointers about different way of re-setting the password would
be
> > helpful.
>
> --------------------------------------------------------------------------
-
> > FastTrain has your solution for a great CISSP Boot Camp. The industry's
most
> > recognized corporate security certification track, provides a
comprehensive
> > prospectus based upon the core principle concepts of security. This ALL
INCLUSIVE curriculum utilizes lectures, case studies and true hands-on
utilization
> > of pertinent security tools. For a limited time you can enter for a
chance
> > to win one of the latest technological innovations, the SEGWAY HT.
> > Log onto http://www.securityfocus.com/FastTrain-security-basics
>
> --------------------------------------------------------------------------
--
> -- 
> Regards,
>
> Kevin Saenz
>
> Spinaweb
> Your one stop shop for I.T solutions.
>
> Ph: 02 4620 5130
> Fax: 02 4625 9243
> Mobile: 0418455661
> Web: http://www.spinaweb.com.au
>
>
> --------------------------------------------------------------------------
-
> FastTrain has your solution for a great CISSP Boot Camp. The industry's
most
> recognized corporate security certification track, provides a
comprehensive
> prospectus based upon the core principle concepts of security. This ALL
INCLUSIVE curriculum utilizes lectures, case studies and true hands-on
utilization
> of pertinent security tools. For a limited time you can enter for a chance
> to win one of the latest technological innovations, the SEGWAY HT.
> Log onto http://www.securityfocus.com/FastTrain-security-basics
> --------------------------------------------------------------------------
--
>



---------------------------------------------------------------------------
FastTrain has your solution for a great CISSP Boot Camp. The industry's most 
recognized corporate security certification track, provides a comprehensive 
prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes lectures, case 
studies and true hands-on utilization 
of pertinent security tools. For a limited time you can enter for a chance 
to win one of the latest technological innovations, the SEGWAY HT. 
Log onto http://www.securityfocus.com/FastTrain-security-basics 
----------------------------------------------------------------------------