Security Basics mailing list archives

Re: How secure is Email based password reset?

From: Kevin Saenz <ksaenz () spinaweb com au>
Date: 08 May 2003 09:56:21 +1000

the problem with email is that you are send messages using
plain text. if a would be cracker was sniffing your out bound
port then you might have a problem with sending passwords
through emails.

could you give your client's pgp or similar keys and
encrypt emails if it contains passwords?

One of the ways to implement the password reset is to
1. Ask the personal question
2. if correctly answered, generates a unique temporary password
3. Send the password over email to user.

What if the user says I won't be able to check the email at that
address till the end of day but could you please send it to
blah () hotmail com?

4. This would allow user to login once.

My query is regarding sending the password over email to user. How secure is
it? Given that,
1. The Server would be delivering the password email to an Internet Service
Provider.
2. The user would typically be online waiting for the password emal to
arrive.
3. The password would be invalid after the first use.
How valid are these assumptions?

Any other pointers about different way of re-setting the password would be
helpful.



---------------------------------------------------------------------------
FastTrain has your solution for a great CISSP Boot Camp. The industry's most
recognized corporate security certification track, provides a comprehensive
prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes lectures, case 
studies and true hands-on utilization
of pertinent security tools. For a limited time you can enter for a chance
to win one of the latest technological innovations, the SEGWAY HT.
Log onto http://www.securityfocus.com/FastTrain-security-basics
----------------------------------------------------------------------------

-- 
Regards,

Kevin Saenz
 
Spinaweb
Your one stop shop for I.T solutions.
 
Ph: 02 4620 5130
Fax: 02 4625 9243
Mobile: 0418455661
Web: http://www.spinaweb.com.au


---------------------------------------------------------------------------
FastTrain has your solution for a great CISSP Boot Camp. The industry's most 
recognized corporate security certification track, provides a comprehensive 
prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes lectures, case 
studies and true hands-on utilization 
of pertinent security tools. For a limited time you can enter for a chance 
to win one of the latest technological innovations, the SEGWAY HT. 
Log onto http://www.securityfocus.com/FastTrain-security-basics 
----------------------------------------------------------------------------

Current thread:

How secure is Email based password reset? Shekhar Jha (May 07)
- Re: How secure is Email based password reset? Kevin Saenz (May 08)
  - Re: How secure is Email based password reset? S. Rohit (May 09)
- RE: How secure is Email based password reset? Stephen (May 08)
- Re: How secure is Email based password reset? Chris Burton (May 08)
- RE: How secure is Email based password reset? Dan Kubb (May 09)
  - Re: How secure is Email based password reset? S. Rohit (May 12)
    - Re: How secure is Email based password reset? Anders Reed Mohn (May 14)
- RE: How secure is Email based password reset? Nick Owen (May 09)
- Re: How secure is Email based password reset? Brian Eckman (May 09)
- Re: How secure is Email based password reset? Martchukov Anton (May 09)
  - Re: How secure is Email based password reset? Brian Eckman (May 12)

(Thread continues...)