Security Basics mailing list archives
Re: How secure is Email based password reset?
From: "S. Rohit" <s.rohit () usa net>
Date: Sat, 10 May 2003 11:02:58 +0800
hi....
This is a very neat and elegant solution proposed by Dan. The only
problem in this solution can be to ensure that the SSL session does not time
out before the email is recieved by the user. This can happen because it
mite be possible for the email to get delyaed in delivery, which is quite a
common occurrence. Especially if the mail server that u will be using to
send out the email will be the same as the corporate email server. To ensure
that this solution works in a more smoother manner u mite want to consider
adding in a new mail server intot he solution which can handle the outgoing
emails from all the applications that will be using this kind of solution.
This will atleast reduce the lag in email transit introduced due to the load
on the corporate email servers..... Now the only reason for delated email
deliver will be internet traffic based delays....
rohit
----- Original Message -----
From: "Dan Kubb" <dan.kubb () marketingtips com>
To: "'Shekhar Jha'" <shekhar-jha () usa net>
Cc: <security-basics () securityfocus com>
Sent: Friday, May 09, 2003 12:18 AM
Subject: RE: How secure is Email based password reset?
I'd do the following:
1. When generating the user account, ask them to enter
in a personal question that only they would know the
answer to. I'd then ask them to put in the answer.
I'd also instruct them on bad questions, like
"What is my SSN?" Or "What is my mother's maiden name?".
2. SHA-1 hash their answer and store it in the database.
3. When the user tries to log in, and forgets their
password redirect them to an SSL protected area.
4. Ask them the "secret question". Hash their answer, and
compare against the DB. If they get it right,
email a one-time "key".
5. Tell the user to check their email, and paste in the
key that was just mailed to them into a text box and
hit submit. Most importantly: All this is done during
the same SSL session, and the one-time key is only valid
for this SSL session and for a limited time (say 5 mins).
If the user disconnects, or walks away from their
computer for more than 5 mins, the key should be made
not to work.
6. User gets to change their password from within an SSL
enabled area.
Step number 5 is the important one. If someone intercepted
the passphrase in-transit, they wouldn't be able to do
anything with it, because its only valid for the real
user's SSL session.
You could probably change it so that instead of pasting
in a text box, that they click on a link via email. The
only important factor is that the current SSL session is
used so we can prove the person clicking on the link is
the same person who got the answer correct.
Dan Kubb
Lead Software Developer
The Internet Marketing Center
One of the ways to implement the password reset is to 1. Ask the personal question 2. if correctly answered, generates a unique temporary password 3. Send the password over email to user. 4. This would allow user to login once. My query is regarding sending the password over email to user. How secure is it? Given that, 1. The Server would be delivering the password email to an Internet Service Provider. 2. The user would typically be online waiting for the password emal to arrive. 3. The password would be invalid after the first use. How valid are these assumptions? Any other pointers about different way of re-setting the password would be helpful.
--------------------------------------------------------------------------- FastTrain has your solution for a great CISSP Boot Camp. The industry's most recognized corporate security certification track, provides a comprehensive prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes lectures, case studies and true hands-on utilization of pertinent security tools. For a limited time you can enter for a chance to win one of the latest technological innovations, the SEGWAY HT. Log onto http://www.securityfocus.com/FastTrain-security-basics ---------------------------------------------------------------------------- --------------------------------------------------------------------------- FastTrain has your solution for a great CISSP Boot Camp. The industry's most recognized corporate security certification track, provides a comprehensive prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes lectures, case studies and true hands-on utilization of pertinent security tools. For a limited time you can enter for a chance to win one of the latest technological innovations, the SEGWAY HT. Log onto http://www.securityfocus.com/FastTrain-security-basics ----------------------------------------------------------------------------
Current thread:
- How secure is Email based password reset? Shekhar Jha (May 07)
- Re: How secure is Email based password reset? Kevin Saenz (May 08)
- Re: How secure is Email based password reset? S. Rohit (May 09)
- RE: How secure is Email based password reset? Stephen (May 08)
- Re: How secure is Email based password reset? Chris Burton (May 08)
- RE: How secure is Email based password reset? Dan Kubb (May 09)
- Re: How secure is Email based password reset? S. Rohit (May 12)
- Re: How secure is Email based password reset? Anders Reed Mohn (May 14)
- Re: How secure is Email based password reset? S. Rohit (May 12)
- RE: How secure is Email based password reset? Nick Owen (May 09)
- Re: How secure is Email based password reset? Brian Eckman (May 09)
- Re: How secure is Email based password reset? Martchukov Anton (May 09)
- Re: How secure is Email based password reset? Brian Eckman (May 12)
- <Possible follow-ups>
- Re: How secure is Email based password reset? Gaurav Kumar (May 08)
- Re: How secure is Email based password reset? brien mac (May 08)
- Re: How secure is Email based password reset? Kevin Saenz (May 08)