RE: How secure is Email based password reset?

["Dan Kubb" <dan.kubb () marketingtips com>]

I'd do the following:

  1. When generating the user account, ask them to enter
     in a personal question that only they would know the
     answer to.  I'd then ask them to put in the answer.
     I'd also instruct them on bad questions, like
     "What is my SSN?" Or "What is my mother's maiden name?".
  2. SHA-1 hash their answer and store it in the database.
  3. When the user tries to log in, and forgets their
     password redirect them to an SSL protected area.
  4. Ask them the "secret question".  Hash their answer, and
     compare against the DB.  If they get it right,
     email a one-time "key".
  5. Tell the user to check their email, and paste in the 
     key that was just mailed to them into a text box and 
     hit submit.  Most importantly:  All this is done during 
     the same SSL session, and the one-time key is only valid 
     for this SSL session and for a limited time (say 5 mins).  
     If the user disconnects, or walks away from their 
     computer for more than 5 mins, the key should be made 
     not to work.
  6. User gets to change their password from within an SSL
     enabled area.

Step number 5 is the important one.  If someone intercepted
the passphrase in-transit, they wouldn't be able to do
anything with it, because its only valid for the real
user's SSL session.

You could probably change it so that instead of pasting
in a text box, that they click on a link via email.  The
only important factor is that the current SSL session is 
used so we can prove the person clicking on the link is 
the same person who got the answer correct.

Dan Kubb
Lead Software Developer
The Internet Marketing Center


> One of the ways to implement the password reset is to
> 1. Ask the personal question
> 2. if correctly answered, generates a unique temporary password
> 3. Send the password over email to user.
> 4. This would allow user to login once.
>
> My query is regarding sending the password over email to 
> user. How secure is
> it? Given that,
> 1. The Server would be delivering the password email to an 
> Internet Service
> Provider.
> 2. The user would typically be online waiting for the password emal to
> arrive.
> 3. The password would be invalid after the first use.
> How valid are these assumptions?
>
> Any other pointers about different way of re-setting the 
> password would be
> helpful.


---------------------------------------------------------------------------
FastTrain has your solution for a great CISSP Boot Camp. The industry's most
recognized corporate security certification track, provides a comprehensive
prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes lectures, case 
studies and true hands-on utilization
of pertinent security tools. For a limited time you can enter for a chance
to win one of the latest technological innovations, the SEGWAY HT.
Log onto http://www.securityfocus.com/FastTrain-security-basics
----------------------------------------------------------------------------