WebApp Sec mailing list archives
RE: "Forgot Password" function
From: wsmith () icsalabs com
Date: Fri, 18 Oct 2002 16:15:46 -0400
I have come across some sites that do this rather well. One way that I really like provides the user with a Forgot Password page and function allowing for re-authentication to the application. This process does not send in email or present the forgotten password to the user. Instead, the Forgot Password process validates the requied account information, which was set during inititial account creation (city of birth, mother's maiden name, two secret qustions), before allowing a new password to be created/stored, and presenting the user with the Login page for authentication. As a precaution, the application was configured to notify the accountholder of any changes to user-configurable information (which may occur through the application, by either the user or support personnel), including password changes, via an email message. This message, sent to the address of the accountholder, provides a generic notification as to the type of change, how the change occurred, when it occurred, but does not include any sensitive account information. As an extra precaution, the accountholder cannot change their email address via the application, but rather, must contact the appropriate support personnel, who perform proper account validation, before changing the address. This way the accountholder will be informed of changes to their account and can report any suspicious activity. Additionally, the user gets three failed attempts at resetting their password before the account is permanently locked out, requiring the user to contact the support personel to unlock the account. Hope this helps --Bill Smith -----Original Message----- From: Brecrost Jones [mailto:brecrost () hotmail com] Sent: Friday, October 18, 2002 1:32 PM To: webappsec () securityfocus com Subject: "Forgot Password" function I'm looking for opinions on the most secure way to implement a "Forgot my password" function for a website. I know that having this feature is probably an inherent security risk, but __assuming that it is a required feature__ what would be the most secure way to implement it? Is the "enter your email address and we'll mail you the password" the best way to go? As far as I can tell, it's the most common. But I'm not sure if I'm comfortable sending the password in a clear text email message. I don't really like the "secret question" method either, since if someone can get the question, they may be able to guess the answer. Are there other methods out there? Has anyone come up with a novel solution that is more secure? Thanks for any input. _________________________________________________________________ Get faster connections -- switch to MSN Internet Access! http://resourcecenter.msn.com/access/plans/default.asp *********************************************************************** This message is intended only for the use of the intended recipient and may contain information that is PRIVILEGED and/or CONFIDENTIAL. If you are not the intended recipient, you are hereby notified that any use, dissemination, disclosure or copying of this communication is strictly prohibited. If you have received this communication in error, please destroy all copies of this message and its attachments and notify us immediately. ***********************************************************************
Current thread:
- Re: "Forgot Password" function, (continued)
- Re: "Forgot Password" function Haroon Meer (Oct 18)
- Re: "Forgot Password" function Jeroen Latour (Oct 18)
- Re: "Forgot Password" function Chris Shepherd (Oct 18)
- Re: "Forgot Password" function Kevin Spett (Oct 18)
- Re: "Forgot Password" function Mark Curphey (Oct 18)
- Re: "Forgot Password" function Kevin Spett (Oct 18)
- Re: "Forgot Password" function Brecrost Jones (Oct 18)
- Password Recovery (long) was Re: "Forgot Password" function Charles Miller (Oct 19)
- Re: Password Recovery (long) was Re: "Forgot Password" function Sverre H. Huseby (Oct 19)
- Re: Password Recovery (long) was Re: "Forgot Password" function Charles Miller (Oct 19)
- Password Recovery (long) was Re: "Forgot Password" function Charles Miller (Oct 19)
- RE: "Forgot Password" function wsmith (Oct 18)
- RE: "Forgot Password" function Matthew_Chalmers (Oct 19)
- RE: "Forgot Password" function William Bartholomew (Oct 20)
- Re: "Forgot Password" function Kevin Spett (Oct 20)