WebApp Sec mailing list archives
Re: "Forgot Password" function
From: Chris Shepherd <chriss () whstuart com>
Date: Fri, 18 Oct 2002 14:32:31 -0400
Quoting Brecrost Jones <brecrost () hotmail com>: [...]
Is the "enter your email address and we'll mail you the password" the best way to go? As far as I can tell, it's the most common. But I'm not sure if I'm comfortable sending the password in a clear text email message. I don't really like the "secret question" method either, since if someone can get the question, they may be able to guess the answer. Are there other methods out there? Has anyone come up with a novel solution that is more secure?
Since I encrypt all my passwords with MD5, and I record email addresses with each password, I simply have the "forgot password" link ask them for their user id. Then, the following steps would happen: 1. Script retrieves the MD5'ed password from the database. 2. Script gets another MD5 hash of the password, and adds that into an email. 3. Email is sent out to the email address on file containing a link to a script (with the Hash of the hashed PW in the query string) that will compare the hash in the email to the hash of the current MD5'ed password in the database. 4. If the two match, the user would be prompted to change their password. If not, it would get logged for an administrator to browse. The reason I would hash the hash (as it were), is so that the hashed password doesn't get sent in the email. The reason for this is that if an attacker had a copy of the hash, they could attempt to bruteforce it. This way, they would have to bruteforce the 32-bit MD5 string to get a hit, and then they would have to go and bruteforce the MD5 string to get the hit. Considering MD5's are 32 characters, the number of combinations alone (17^32, if I'm not mistaken) would be enough of a preventative meausure, and that's assuming the attacker knows you are using this technique. Essentially this is just generating a key and emailing it to the 'trusted' user. You can even have a form for it that would require they copy and paste it into an email and say, add the first three characters of their name to it or something. At any rate, it would be a little more secure than passing the raw password in plaintext, and also allows you to keep the passwords in your database MD5'ed. Just a thought. -- Chris Shepherd ------------------------------------------------- This email may contain confidential information. Use of any such information is strictly prohibited without express written consent of the sender
Current thread:
- "Forgot Password" function Brecrost Jones (Oct 18)
- Re: "Forgot Password" function David Bullock (Oct 18)
- Re: "Forgot Password" function Kevin Spett (Oct 18)
- Re: "Forgot Password" function Haroon Meer (Oct 18)
- Re: "Forgot Password" function Jeroen Latour (Oct 18)
- Re: "Forgot Password" function Chris Shepherd (Oct 18)
- Re: "Forgot Password" function Kevin Spett (Oct 18)
- <Possible follow-ups>
- Re: "Forgot Password" function Mark Curphey (Oct 18)
- Re: "Forgot Password" function Kevin Spett (Oct 18)
- Re: "Forgot Password" function Brecrost Jones (Oct 18)
- Password Recovery (long) was Re: "Forgot Password" function Charles Miller (Oct 19)
- Re: Password Recovery (long) was Re: "Forgot Password" function Sverre H. Huseby (Oct 19)
- Re: Password Recovery (long) was Re: "Forgot Password" function Charles Miller (Oct 19)
- Password Recovery (long) was Re: "Forgot Password" function Charles Miller (Oct 19)
- RE: "Forgot Password" function wsmith (Oct 18)
- RE: "Forgot Password" function Matthew_Chalmers (Oct 19)
- RE: "Forgot Password" function William Bartholomew (Oct 20)