Security Basics mailing list archives
RE: How secure is Email based password reset?
From: "Stephen" <bitbucket () look ca>
Date: Thu, 8 May 2003 11:09:59 -0400
I've never used the model you're describing below, as the temporary password you're sending -- in plain text -- can be sniffed anywhere across the wire. My suggestion would be: 1. User answers question he/she chose when signing up -- to prove it is actually him the user. 2. User is not logged logged in, but is rather forced to change his password immediately. 3. Login screen is presented, and the user logs in w/ his/her newly chosen password. (This is all done using SSL encryption! This is obviously in regards to securing a web application, so might I suggest a few articles that were somewhat helpful to me when I was building my security model: http://securityfocus.com/infocus/1688 & http://securityfocus.com/infocus/1687 Cheers, Stephen -----Original Message----- From: Shekhar Jha [mailto:shekhar-jha () usa net] Sent: Wednesday, May 07, 2003 10:19 AM To: security-basics () securityfocus com Subject: How secure is Email based password reset? One of the ways to implement the password reset is to 1. Ask the personal question 2. if correctly answered, generates a unique temporary password 3. Send the password over email to user. 4. This would allow user to login once. My query is regarding sending the password over email to user. How secure is it? Given that, 1. The Server would be delivering the password email to an Internet Service Provider. 2. The user would typically be online waiting for the password emal to arrive. 3. The password would be invalid after the first use. How valid are these assumptions? Any other pointers about different way of re-setting the password would be helpful. ------------------------------------------------------------------------ --- FastTrain has your solution for a great CISSP Boot Camp. The industry's most recognized corporate security certification track, provides a comprehensive prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes lectures, case studies and true hands-on utilization of pertinent security tools. For a limited time you can enter for a chance to win one of the latest technological innovations, the SEGWAY HT. Log onto http://www.securityfocus.com/FastTrain-security-basics ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- FastTrain has your solution for a great CISSP Boot Camp. The industry's most recognized corporate security certification track, provides a comprehensive prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes lectures, case studies and true hands-on utilization of pertinent security tools. For a limited time you can enter for a chance to win one of the latest technological innovations, the SEGWAY HT. Log onto http://www.securityfocus.com/FastTrain-security-basics ----------------------------------------------------------------------------
Current thread:
- How secure is Email based password reset? Shekhar Jha (May 07)
- Re: How secure is Email based password reset? Kevin Saenz (May 08)
- Re: How secure is Email based password reset? S. Rohit (May 09)
- RE: How secure is Email based password reset? Stephen (May 08)
- Re: How secure is Email based password reset? Chris Burton (May 08)
- RE: How secure is Email based password reset? Dan Kubb (May 09)
- Re: How secure is Email based password reset? S. Rohit (May 12)
- Re: How secure is Email based password reset? Anders Reed Mohn (May 14)
- Re: How secure is Email based password reset? S. Rohit (May 12)
- RE: How secure is Email based password reset? Nick Owen (May 09)
- Re: How secure is Email based password reset? Brian Eckman (May 09)
- Re: How secure is Email based password reset? Martchukov Anton (May 09)
- Re: How secure is Email based password reset? Brian Eckman (May 12)
- <Possible follow-ups>
- Re: How secure is Email based password reset? Gaurav Kumar (May 08)
- Re: How secure is Email based password reset? brien mac (May 08)
- Re: How secure is Email based password reset? Kevin Saenz (May 08)