Hosting Provided By

Re: How secure is Email based password reset?

From: Brian Eckman <eckman(at)umn.edu>
Date: Thu May 08 2003 - 13:22:01 EDT

I'm assuming this is a password reset for a Web site?

I guess I disagree with most people. I think the method that you outline is reasonable for most uses. I think your assumptions are reasonable ones. If this is for online banking or something similar, then other precautions should be included, such as the suggestion I list below.

Obviously, only send the E-mail to their registered E-mail address, don't let them provide one now. Also, it must be enforced that the temporary password can be used exactly once.

Something you could consider:

Use SSL on the password reset request Web page. Have it display a random passphrase that must be entered for the user to reset their password. E-mail them a customized URL to reset their password on. This page (also SSL encrypted) should be configured to only be accessible once. Users must enter the passphrase they were given, as well as choose their new password, which is not E-mailed to them. Allow 0-2 failures of the passphrase before expiring the custom URL.

It doesn't really have to be a custom URL, as long as your server can identify the correct passphrase issued to that account.

If SSL is not used during authentication, then all of this is pointless, since the password is sent along cleartext anyway. Your described method would be acceptible if SSL is never used.

Do you need help?

Brian

Shekhar Jha wrote:
> One of the ways to implement the password reset is to

-- 
Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota
612-626-7737

"There are 10 types of people in this world. Those who
understand binary and those who don't."


---------------------------------------------------------------------------
FastTrain has your solution for a great CISSP Boot Camp. The industry's most 
recognized corporate security certification track, provides a comprehensive 
prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes lectures, case studies and true hands-on utilization 
of pertinent security tools. For a limited time you can enter for a chance

to win one of the latest technological innovations, the SEGWAY HT. Log onto http://www.securityfocus.com/FastTrain-security-basics ---------------------------------------------------------------------------- Received on Fri May 9 14:58:04 2003

This message: [ Message body ]
Next message: Martchukov Anton: "Re: How secure is Email based password reset?"
In reply to: Shekhar Jha: "How secure is Email based password reset?"
In reply to Nick Owen: "RE: How secure is Email based password reset?"
Next in thread: Martchukov Anton: "Re: How secure is Email based password reset?"
Reply: S. Rohit: "Re: How secure is Email based password reset?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:04:18 EDT