Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: How secure is Email based password reset?

From: "Stephen" <bitbucket () look ca>
Date: Thu, 8 May 2003 11:09:59 -0400

I've never used the model you're describing below, as the temporary
password you're sending -- in plain text -- can be sniffed anywhere
across the wire.  My suggestion would be:

1.  User answers question he/she chose when signing up -- to prove it is
actually him the user.
2.  User is not logged logged in, but is rather forced to change his
password immediately.
3.  Login screen is presented, and the user logs in w/ his/her newly
chosen password.

(This is all done using SSL encryption!

This is obviously in regards to securing a web application, so might I
suggest a few articles that were somewhat helpful to me when I was
building my security model:

http://securityfocus.com/infocus/1688 & 
http://securityfocus.com/infocus/1687

Cheers,
Stephen

-----Original Message-----
From: Shekhar Jha [mailto:shekhar-jha () usa net] 
Sent: Wednesday, May 07, 2003 10:19 AM
To: security-basics () securityfocus com
Subject: How secure is Email based password reset?


One of the ways to implement the password reset is to
1. Ask the personal question
2. if correctly answered, generates a unique temporary password 3. Send
the password over email to user. 4. This would allow user to login once.

My query is regarding sending the password over email to user. How
secure is it? Given that, 1. The Server would be delivering the password
email to an Internet Service Provider. 2. The user would typically be
online waiting for the password emal to arrive. 3. The password would be
invalid after the first use. How valid are these assumptions?

Any other pointers about different way of re-setting the password would
be helpful.



------------------------------------------------------------------------
---
FastTrain has your solution for a great CISSP Boot Camp. The industry's
most 
recognized corporate security certification track, provides a
comprehensive 
prospectus based upon the core principle concepts of security. This ALL
INCLUSIVE curriculum utilizes lectures, case studies and true hands-on
utilization 
of pertinent security tools. For a limited time you can enter for a
chance 
to win one of the latest technological innovations, the SEGWAY HT. 
Log onto http://www.securityfocus.com/FastTrain-security-basics 
------------------------------------------------------------------------
----





---------------------------------------------------------------------------
FastTrain has your solution for a great CISSP Boot Camp. The industry's most 
recognized corporate security certification track, provides a comprehensive 
prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes lectures, case 
studies and true hands-on utilization 
of pertinent security tools. For a limited time you can enter for a chance 
to win one of the latest technological innovations, the SEGWAY HT. 
Log onto http://www.securityfocus.com/FastTrain-security-basics 
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: