RE: Forgot Your Password Best Practices

["Richard M. Smith" <rms () computerbytesman com>]

This recent article illustrates one glitch with many "forgot your
password" systems: 

Expired Domains Expose EBay Security Glitch
http://www.auctionbytes.com/cab/abn/y03/m05/i15/s01

The trick is to acquire an expired domain and see what email addresses
have been used at the domain by watching incoming email.  These email
addresses can then be used to break into Web site accounts.

In spite of what the article says, this is not an eBay-specific issue.
I just checked and Amazon as one example will allow an account password
to be reset with the only requirement being access to the email account
which is associated with the Amazon account.

As an aside, if someone gets your email account password, they then can
take control of your Amazon account and associated credit card. 

Richard

-----Original Message-----
From: Susan Olson [mailto:olson.susan () excite com] 
Sent: Thursday, May 29, 2003 1:52 PM
To: webappsec () securityfocus com
Subject: Forgot Your Password Best Practices



Does anyone know where I can find some 'best practices'and or know of
some Dos and Don'ts for implementing a "Forgot Your Password " function
for a web site?  I've been lookin for a couple of days and have not
turned up much.



TIA,



- Sue

_______________________________________________
Join Excite! - http://www.excite.com
The most personalized portal on the Web!