RE: "Forgot Password" function

[wsmith () icsalabs com]

I have come across some sites that do this rather well.  One way that I
really
like provides the user with a Forgot Password page and function allowing for

re-authentication to the application.  This process does not send in email
or 
present the forgotten password to the user.  Instead, the Forgot Password
process 
validates the requied account information, which was set during inititial
account 
creation (city of birth, mother's maiden name, two secret qustions), before
allowing a new 
password to be created/stored, and presenting the user with the Login page
for authentication.
  
As a precaution, the application was configured to notify the accountholder
of
any changes to user-configurable information (which may occur through the
application, 
by either the user or support personnel), including password changes, via an
email message.  
This message, sent to the address of the accountholder, provides a generic
notification 
as to the type of change, how the change occurred, when it occurred, but
does not 
include any sensitive account information.  As an extra precaution, the
accountholder 
cannot change their email address via the application, but rather, must
contact the 
appropriate support personnel, who perform proper account validation, before
changing 
the address.  This way the accountholder will be informed of changes to
their account 
and can report any suspicious activity.  Additionally, the user gets three
failed attempts 
at resetting their password before the account is permanently locked out,
requiring 
the user to contact the support personel to unlock the account.
 
Hope this helps

--Bill Smith

-----Original Message-----
From: Brecrost Jones [mailto:brecrost () hotmail com]
Sent: Friday, October 18, 2002 1:32 PM
To: webappsec () securityfocus com
Subject: "Forgot Password" function


I'm looking for opinions on the most secure way to implement a "Forgot my 
password" function for a website.  I know that having this feature is 
probably an inherent security risk, but __assuming that it is a required 
feature__ what would be the most secure way to implement it?

Is the "enter your email address and we'll mail you the password" the best 
way to go?  As far as I can tell, it's the most common.  But I'm not sure if

I'm comfortable sending the password in a clear text email message.

I don't really like the "secret question" method either, since if someone 
can get the question, they may be able to guess the answer.

Are there other methods out there?  Has anyone come up with a novel solution

that is more secure?

Thanks for any input.


_________________________________________________________________
Get faster connections -- switch to MSN Internet Access! 
http://resourcecenter.msn.com/access/plans/default.asp

***********************************************************************
This message is intended only for the use of the intended recipient and
may contain information that is PRIVILEGED and/or CONFIDENTIAL.  If you
are not the intended recipient, you are hereby notified that any use,
dissemination, disclosure or copying of this communication is strictly
prohibited.  If you have received this communication in error, please
destroy all copies of this message and its attachments and notify us
immediately.
***********************************************************************