WebApp Sec mailing list archives
Re: "Forgot Password" function
From: "David Bullock" <davidbullock () tech-center com>
Date: Fri, 18 Oct 2002 11:09:29 -0700
You can also mail a link with a secured hash to their email address, for them to enter a new password. Emailing them the password not only as the risk of sending the password in the clear, you also have to store it in the clear, and that carries it's own risks. Dave ----- Original Message ----- From: "Brecrost Jones" <brecrost () hotmail com> To: <webappsec () securityfocus com> Sent: Friday, October 18, 2002 10:31 AM Subject: "Forgot Password" function I'm looking for opinions on the most secure way to implement a "Forgot my password" function for a website. I know that having this feature is probably an inherent security risk, but __assuming that it is a required feature__ what would be the most secure way to implement it? Is the "enter your email address and we'll mail you the password" the best way to go? As far as I can tell, it's the most common. But I'm not sure if I'm comfortable sending the password in a clear text email message. I don't really like the "secret question" method either, since if someone can get the question, they may be able to guess the answer. Are there other methods out there? Has anyone come up with a novel solution that is more secure?
Current thread:
- "Forgot Password" function Brecrost Jones (Oct 18)
- Re: "Forgot Password" function David Bullock (Oct 18)
- Re: "Forgot Password" function Kevin Spett (Oct 18)
- Re: "Forgot Password" function Haroon Meer (Oct 18)
- Re: "Forgot Password" function Jeroen Latour (Oct 18)
- Re: "Forgot Password" function Chris Shepherd (Oct 18)
- Re: "Forgot Password" function Kevin Spett (Oct 18)
- <Possible follow-ups>
- Re: "Forgot Password" function Mark Curphey (Oct 18)
- Re: "Forgot Password" function Kevin Spett (Oct 18)
- Re: "Forgot Password" function Brecrost Jones (Oct 18)
- Password Recovery (long) was Re: "Forgot Password" function Charles Miller (Oct 19)
- Re: Password Recovery (long) was Re: "Forgot Password" function Sverre H. Huseby (Oct 19)
- Password Recovery (long) was Re: "Forgot Password" function Charles Miller (Oct 19)
(Thread continues...)