Security Basics mailing list archives
Re: How secure is Email based password reset?
From: Brian Eckman <eckman () umn edu>
Date: Fri, 09 May 2003 14:13:37 -0500
Comments within. Martchukov Anton wrote:
Wednesday, May 7, 2003, 6:18:56 PM, you wrote: SJ> One of the ways to implement the password reset is to SJ> 1. Ask the personal question SJ> 2. if correctly answered, generates a unique temporary password SJ> 3. Send the password over email to user. SJ> 4. This would allow user to login once. You'd better force user to change password manually after answering instead of transferring a plain text password.
Then all an attacker needs to do is guess the answer to the personal question. This is often easier than guessing the password itself, and almost always easier than sniffing the E-mail that would be generated.
> If it's necessary to validate user's e-mail, you may generate random > page URL and send it to user. When user goes there, he will be able to > change password, after > right answer of cause. Maybe it's more secure? The E-mailed random URL can be sniffed as easily as an E-mailed password. Brian -- Brian Eckman Security Analyst OIT Security and Assurance University of Minnesota 612-626-7737 "There are 10 types of people in this world. Those who understand binary and those who don't." ---------------------------------------------------------------------------FastTrain has your solution for a great CISSP Boot Camp. The industry's most recognized corporate security certification track, provides a comprehensive prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes lectures, case studies and true hands-on utilization of pertinent security tools. For a limited time you can enter for a chance to win one of the latest technological innovations, the SEGWAY HT. Log onto http://www.securityfocus.com/FastTrain-security-basics ----------------------------------------------------------------------------
Current thread:
- Re: How secure is Email based password reset?, (continued)
- Re: How secure is Email based password reset? Kevin Saenz (May 08)
- Re: How secure is Email based password reset? S. Rohit (May 09)
- RE: How secure is Email based password reset? Stephen (May 08)
- Re: How secure is Email based password reset? Chris Burton (May 08)
- RE: How secure is Email based password reset? Dan Kubb (May 09)
- Re: How secure is Email based password reset? S. Rohit (May 12)
- Re: How secure is Email based password reset? Anders Reed Mohn (May 14)
- Re: How secure is Email based password reset? S. Rohit (May 12)
- RE: How secure is Email based password reset? Nick Owen (May 09)
- Re: How secure is Email based password reset? Brian Eckman (May 09)
- Re: How secure is Email based password reset? Martchukov Anton (May 09)
- Re: How secure is Email based password reset? Brian Eckman (May 12)
- Re: How secure is Email based password reset? Gaurav Kumar (May 08)
- Re: How secure is Email based password reset? brien mac (May 08)
- Re: How secure is Email based password reset? Kevin Saenz (May 08)