Re: How secure is Email based password reset?

• Previous message: Nick Owen: "RE: How secure is Email based password reset?"
• In reply to: Shekhar Jha: "How secure is Email based password reset?"
• Next in thread: Martchukov Anton: "Re: How secure is Email based password reset?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 08 May 2003 12:22:01 -0500
To: security-basics@securityfocus.com

I'm assuming this is a password reset for a Web site?

I guess I disagree with most people. I think the method that you outline
is reasonable for most uses. I think your assumptions are reasonable
ones. If this is for online banking or something similar, then other
precautions should be included, such as the suggestion I list below.

Obviously, only send the E-mail to their registered E-mail address,
don't let them provide one now. Also, it must be enforced that the
temporary password can be used exactly once.

Something you could consider:

Use SSL on the password reset request Web page. Have it display a random
passphrase that must be entered for the user to reset their password.
E-mail them a customized URL to reset their password on. This page (also
SSL encrypted) should be configured to only be accessible once. Users
must enter the passphrase they were given, as well as choose their new
password, which is not E-mailed to them. Allow 0-2 failures of the
passphrase before expiring the custom URL.

It doesn't really have to be a custom URL, as long as your server can
identify the correct passphrase issued to that account.

If SSL is not used during authentication, then all of this is pointless,
since the password is sent along cleartext anyway. Your described method
would be acceptible if SSL is never used.

Brian

Shekhar Jha wrote:
> One of the ways to implement the password reset is to
> 1. Ask the personal question
> 2. if correctly answered, generates a unique temporary password
> 3. Send the password over email to user.
> 4. This would allow user to login once.
>
> My query is regarding sending the password over email to user. How secure is
> it? Given that,
> 1. The Server would be delivering the password email to an Internet Service
> Provider.
> 2. The user would typically be online waiting for the password emal to
> arrive.
> 3. The password would be invalid after the first use.
> How valid are these assumptions?
>
> Any other pointers about different way of re-setting the password would be
> helpful.

-- 
Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota
612-626-7737
"There are 10 types of people in this world. Those who
understand binary and those who don't."
---------------------------------------------------------------------------
FastTrain has your solution for a great CISSP Boot Camp. The industry's most 
recognized corporate security certification track, provides a comprehensive 
prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes lectures, case studies and true hands-on utilization 
of pertinent security tools. For a limited time you can enter for a chance 
to win one of the latest technological innovations, the SEGWAY HT. 
Log onto http://www.securityfocus.com/FastTrain-security-basics 
----------------------------------------------------------------------------

• Previous message: Nick Owen: "RE: How secure is Email based password reset?"
• In reply to: Shekhar Jha: "How secure is Email based password reset?"
• Next in thread: Martchukov Anton: "Re: How secure is Email based password reset?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]