WebApp Sec mailing list archives
RE: Forgot Your Password Best Practices
From: "Richard M. Smith" <rms () computerbytesman com>
Date: Thu, 29 May 2003 21:56:09 -0400
This recent article illustrates one glitch with many "forgot your password" systems: Expired Domains Expose EBay Security Glitch http://www.auctionbytes.com/cab/abn/y03/m05/i15/s01 The trick is to acquire an expired domain and see what email addresses have been used at the domain by watching incoming email. These email addresses can then be used to break into Web site accounts. In spite of what the article says, this is not an eBay-specific issue. I just checked and Amazon as one example will allow an account password to be reset with the only requirement being access to the email account which is associated with the Amazon account. As an aside, if someone gets your email account password, they then can take control of your Amazon account and associated credit card. Richard -----Original Message----- From: Susan Olson [mailto:olson.susan () excite com] Sent: Thursday, May 29, 2003 1:52 PM To: webappsec () securityfocus com Subject: Forgot Your Password Best Practices Does anyone know where I can find some 'best practices'and or know of some Dos and Don'ts for implementing a "Forgot Your Password " function for a web site? I've been lookin for a couple of days and have not turned up much. TIA, - Sue _______________________________________________ Join Excite! - http://www.excite.com The most personalized portal on the Web!
Current thread:
- Forgot Your Password Best Practices Susan Olson (May 29)
- RE: Forgot Your Password Best Practices Richard M. Smith (May 29)
- Re: Forgot Your Password Best Practices Sverre H. Huseby (Jun 01)
- Re: Forgot Your Password Best Practices M. Burnett (Jun 01)