Re: "Forgot Password" function

[Haroon Meer <haroon () sensepost com>]

ehlo

"Enter your email address, and we will email you your password" is also
inherently stupid (without ensuring that the entered email address matches
the one on record)

If you going to use the one on record.. then why ask the user to enter it
anyway? (just gives an atacker somthing else to aim at) If you must use
this method, then ask for his username, and send the pass to the email
address u have..

======================================================================
Haroon Meer                                                         MH
SensePost Information Security                          +27 83786 6637
PGP : http://www.sensepost.com/pgp/haroon.txt     haroon () sensepost com
======================================================================

On Fri, 18 Oct 2002, Brecrost Jones wrote:

> I'm looking for opinions on the most secure way to implement a "Forgot my
> password" function for a website.  I know that having this feature is
> probably an inherent security risk, but __assuming that it is a required
> feature__ what would be the most secure way to implement it?
>
> Is the "enter your email address and we'll mail you the password" the best
> way to go?  As far as I can tell, it's the most common.  But I'm not sure if
> I'm comfortable sending the password in a clear text email message.
>
> I don't really like the "secret question" method either, since if someone
> can get the question, they may be able to guess the answer.
>
> Are there other methods out there?  Has anyone come up with a novel solution
> that is more secure?
>
> Thanks for any input.
>
>
> _________________________________________________________________
> Get faster connections?-- switch to?MSN Internet Access!
> http://resourcecenter.msn.com/access/plans/default.asp