WebApp Sec mailing list archives
Re: "Forgot Password" function
From: Mark Curphey <mark () curphey com>
Date: Fri, 18 Oct 2002 11:17:49 -0700 (PST)
Page 20 of the OWASP Guide has some advice on this. http://www.owasp.org. ---- Brecrost Jones <brecrost () hotmail com> wrote:
I'm looking for opinions on the most secure way to
implement a "Forgot my
password" function for a website. I know that
having this feature is
probably an inherent security risk, but __assuming
that it is a required
feature__ what would be the most secure way to
implement it?
Is the "enter your email address and we'll mail
you the password" the best
way to go? As far as I can tell, it's the most
common. But I'm not sure if
I'm comfortable sending the password in a clear
text email message.
I don't really like the "secret question" method
either, since if someone
can get the question, they may be able to guess
the answer.
Are there other methods out there? Has anyone
come up with a novel solution
that is more secure? Thanks for any input.
_____________________________________________________ ____________
Get faster connections -- switch to MSN Internet
Access!
http://resourcecenter.msn.com/access/plans/default.as p
Current thread:
- "Forgot Password" function Brecrost Jones (Oct 18)
- Re: "Forgot Password" function David Bullock (Oct 18)
- Re: "Forgot Password" function Kevin Spett (Oct 18)
- Re: "Forgot Password" function Haroon Meer (Oct 18)
- Re: "Forgot Password" function Jeroen Latour (Oct 18)
- Re: "Forgot Password" function Chris Shepherd (Oct 18)
- Re: "Forgot Password" function Kevin Spett (Oct 18)
- <Possible follow-ups>
- Re: "Forgot Password" function Mark Curphey (Oct 18)
- Re: "Forgot Password" function Kevin Spett (Oct 18)
- Re: "Forgot Password" function Brecrost Jones (Oct 18)
- Password Recovery (long) was Re: "Forgot Password" function Charles Miller (Oct 19)
- Re: Password Recovery (long) was Re: "Forgot Password" function Sverre H. Huseby (Oct 19)
- Re: Password Recovery (long) was Re: "Forgot Password" function Charles Miller (Oct 19)
- Password Recovery (long) was Re: "Forgot Password" function Charles Miller (Oct 19)
- RE: "Forgot Password" function wsmith (Oct 18)
- RE: "Forgot Password" function Matthew_Chalmers (Oct 19)
- RE: "Forgot Password" function William Bartholomew (Oct 20)
- Re: "Forgot Password" function Kevin Spett (Oct 20)