Re: How secure is Email based password reset?

[Brian Eckman <eckman () umn edu>]

I'm assuming this is a password reset for a Web site?

I guess I disagree with most people. I think the method that you outline 
is reasonable for most uses. I think your assumptions are reasonable 
ones. If this is for online banking or something similar, then other 
precautions should be included, such as the suggestion I list below.

Obviously, only send the E-mail to their registered E-mail address, 
don't let them provide one now. Also, it must be enforced that the 
temporary password can be used exactly once.

Something you could consider:

Use SSL on the password reset request Web page. Have it display a random 
passphrase that must be entered for the user to reset their password. 
E-mail them a customized URL to reset their password on. This page (also 
SSL encrypted) should be configured to only be accessible once. Users 
must enter the passphrase they were given, as well as choose their new 
password, which is not E-mailed to them. Allow 0-2 failures of the 
passphrase before expiring the custom URL.

It doesn't really have to be a custom URL, as long as your server can 
identify the correct passphrase issued to that account.

If SSL is not used during authentication, then all of this is pointless, 
since the password is sent along cleartext anyway. Your described method 
would be acceptible if SSL is never used.

Brian


Shekhar Jha wrote:
> One of the ways to implement the password reset is to
> 1. Ask the personal question
> 2. if correctly answered, generates a unique temporary password
> 3. Send the password over email to user.
> 4. This would allow user to login once.
>
> My query is regarding sending the password over email to user. How secure is
> it? Given that,
> 1. The Server would be delivering the password email to an Internet Service
> Provider.
> 2. The user would typically be online waiting for the password emal to
> arrive.
> 3. The password would be invalid after the first use.
> How valid are these assumptions?
>
> Any other pointers about different way of re-setting the password would be
> helpful.


--
Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota
612-626-7737

"There are 10 types of people in this world. Those who
understand binary and those who don't."


---------------------------------------------------------------------------
FastTrain has your solution for a great CISSP Boot Camp. The industry's most 
recognized corporate security certification track, provides a comprehensive 
prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes lectures, case studies and true hands-on utilization 
of pertinent security tools. For a limited time you can enter for a chance 
to win one of the latest technological innovations, the SEGWAY HT. 
Log onto http://www.securityfocus.com/FastTrain-security-basics 
----------------------------------------------------------------------------