WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: "Forgot Password" function

From: Mark Curphey <mark () curphey com>
Date: Fri, 18 Oct 2002 11:17:49 -0700 (PST)
Page 20 of the OWASP Guide has some advice on this.

http://www.owasp.org.

---- Brecrost Jones <brecrost () hotmail com> wrote:

I'm looking for opinions on the most secure way to 

implement a "Forgot my 

password" function for a website.  I know that 

having this feature is 

probably an inherent security risk, but __assuming 

that it is a required 

feature__ what would be the most secure way to 

implement it?


Is the "enter your email address and we'll mail 

you the password" the best 

way to go?  As far as I can tell, it's the most 

common.  But I'm not sure if 

I'm comfortable sending the password in a clear 

text email message.


I don't really like the "secret question" method 

either, since if someone 

can get the question, they may be able to guess 

the answer.


Are there other methods out there?  Has anyone 

come up with a novel solution 

that is more secure?

Thanks for any input.




_____________________________________________________
____________

Get faster connections -- switch to MSN Internet 

Access! 



http://resourcecenter.msn.com/access/plans/default.as
p
Previous By Date Next
Previous By Thread Next

Current thread: