RE: Forgot Your Password Best Practices

This recent article illustrates one glitch with many "forgot your password" systems:

Expired Domains Expose EBay Security Glitch http://www.auctionbytes.com/cab/abn/y03/m05/i15/s01

The trick is to acquire an expired domain and see what email addresses have been used at the domain by watching incoming email. These email addresses can then be used to break into Web site accounts.

In spite of what the article says, this is not an eBay-specific issue. I just checked and Amazon as one example will allow an account password to be reset with the only requirement being access to the email account which is associated with the Amazon account.

As an aside, if someone gets your email account password, they then can take control of your Amazon account and associated credit card.

Richard

-----Original Message-----
From: Susan Olson [mailto:olson.susan@excite.com] Sent: Thursday, May 29, 2003 1:52 PM
To: webappsec@securityfocus.com
Subject: Forgot Your Password Best Practices

Does anyone know where I can find some 'best practices'and or know of some Dos and Don'ts for implementing a "Forgot Your Password " function for a web site? I've been lookin for a couple of days and have not turned up much.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

TIA,

• Sue

  ---