Re: How secure is Email based password reset?

[Brian Eckman <eckman () umn edu>]

Comments within.

Martchukov Anton wrote:
> Wednesday, May 7, 2003, 6:18:56 PM, you wrote:
>
> SJ> One of the ways to implement the password reset is to
> SJ> 1. Ask the personal question
> SJ> 2. if correctly answered, generates a unique temporary password
> SJ> 3. Send the password over email to user.
> SJ> 4. This would allow user to login once.
>
> You'd better force user to change password manually after answering
> instead of transferring a plain text password.

Then all an attacker needs to do is guess the answer to the personal 
question. This is often easier than guessing the password itself, and 
almost always easier than sniffing the E-mail that would be generated.

> If it's necessary to validate user's e-mail, you may generate random
> page URL and send it to user. When user goes there, he will be able to
> change password, after
> right answer of cause. Maybe it's more secure?

The E-mailed random URL can be sniffed as easily as an E-mailed password.

Brian
--
Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota
612-626-7737

"There are 10 types of people in this world. Those who
understand binary and those who don't."


---------------------------------------------------------------------------
FastTrain has your solution for a great CISSP Boot Camp. The industry's most 
recognized corporate security certification track, provides a comprehensive 
prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes lectures, case studies and true hands-on utilization 
of pertinent security tools. For a limited time you can enter for a chance 
to win one of the latest technological innovations, the SEGWAY HT. 
Log onto http://www.securityfocus.com/FastTrain-security-basics 
----------------------------------------------------------------------------