Re: "Forgot Password" function

["Kevin Spett" <kspett () spidynamics com>]

The problem with email is obviously that you put a password in plaintext,
which is no good.  If possible, consider going low tech.  Have them pick up
a phone to call someone and verify personal information to reset the
password.



Kevin Spett
SPI Labs
http://www.spidynamics.com/

----- Original Message -----
From: "Brecrost Jones" <brecrost () hotmail com>
To: <webappsec () securityfocus com>
Sent: Friday, October 18, 2002 1:31 PM
Subject: "Forgot Password" function


> I'm looking for opinions on the most secure way to implement a "Forgot my
> password" function for a website.  I know that having this feature is
> probably an inherent security risk, but __assuming that it is a required
> feature__ what would be the most secure way to implement it?
>
> Is the "enter your email address and we'll mail you the password" the best
> way to go?  As far as I can tell, it's the most common.  But I'm not sure
if
> I'm comfortable sending the password in a clear text email message.
>
> I don't really like the "secret question" method either, since if someone
> can get the question, they may be able to guess the answer.
>
> Are there other methods out there?  Has anyone come up with a novel
solution
> that is more secure?
>
> Thanks for any input.
>
>
> _________________________________________________________________
> Get faster connections -- switch to MSN Internet Access!
> http://resourcecenter.msn.com/access/plans/default.asp