Which is the best method for implementing the Forgot Password feature?
1. Displaying the old password after asking a reminder question
2. Displaying a new password after the reminder question
3. Sending a temporary password by mail
4. Sending a temporary link to a ‘Change Password’ page by mail
Answer
The answer to the quiz is 4) Sending a temporary link to a ‘Change Password’ page by mail.
The challenge of a good Forgot Password feature is to prevent an attacker from stealing the password by impersonation or sniffing. So the first two options are out of question. Both are similar since in both cases the password will be displayed in clear text. They make it possible for attackers to steal passwords either by sniffing the traffic or by shoulder surfing. Also the password would have to be stored as clear text in the database and can be recovered. Passwords should be stored encrypted in the database. If the password is stored as a one way hash in the database, then it can not be recovered and can only be reset to a new a value. Now, we can reset the password to a temporary value and send this temporary password to the user by mail. Again, the attackers may obtain it by sniffing or from the mail which may be lying in the user’s mailbox for a long time.
So the most secure method of implementing this feature is to send a temporary link to a change password link by mail. The application can ask a reminder question and on getting the right answer, send a mail to the user with a link that is active only for a short time. This page will allow the user to reset the password. This way, the password can neither be sniffed or shoulder surfed. Since the link is active for only a short time, there is no risk even if the mail lies in the mailbox.
skip to main |
skip to sidebar
Blog Archive
-
▼
2007
(69)
- ► 06/17 - 06/24 (1)
- ► 04/01 - 04/08 (2)
- ► 03/18 - 03/25 (41)
- ► 03/11 - 03/18 (13)
-
▼
03/04 - 03/11
(10)
- ASP.NET AJAX Hosting
- GPS topo maps of Bulgaria
- Why use ASP.NET AJAX
- What do BTW, FAQ, FYI and other acronyms mean?
- Authentication - Security Best Practices
- Implementing 'Forgot Password' feature
- SQL Server 2000 Best Practices
- Top 10 SQL Server tips of 2005
- .NET Framework 3.0 Virtual Labs
- .NET Framework 3.0 has been released!
- ► 02/25 - 03/04 (2)
SECTIONS
- SQL Tips (36)
- AJAX (7)
- ASP.NET (5)
- Helpful Tools (5)
- SQL 2000 (3)
- Security (3)
- .NET 3.0 (2)
- Wikipedia (2)
- ERP / PMS (1)
- FUN (1)
- SQL 2005 (1)
- SQL Express (1)
- Web Design (1)
6 comments:
Wow! Finally I got а wеbpage fгom wherе I be аble to actually obtain
uѕeful factѕ regarding my study and knowledge.
Heгe iѕ mу ωeblog bucket--truck.com
Stop by my website : bucket trucks used
Gгeat beat ! I woulԁ lіκe tο appгenticе whіle you amenԁ
youг websіtе, how can i subscrіbe fοг а blog ωeb site?
The account hеlpeԁ me a apрlicаble ԁeal.
Ι ωere tiny bit familіaг of this yοur broaԁcaѕt offered νіbrаnt clеaг ideа
Check out my web blog Carrollton Car Insurance Company
Stop by my weblog ... cheap car insurance dallas
Hi, I think your site might be haѵing browѕer compatіbility іsѕuеs.
When I lοoκ at уour blоg in ӏe, it looks fine but when
οpening in Inteгnet Explοгer,
it hаѕ ѕome oνeгlapρing.
Ӏ just wanted to give yоu а quick heads up!
Οtheг then that, amazing blog!
Alѕo νisit mу web page - tens 7000 tens unit review
Hi there, I еnjоy rеading thгough youг
article. I lіkе to ωrite а little cοmment to
ѕuppoгt yοu.
Аlso ѵiѕit my page ... tens therapy
My website: tens units
Іf you would like to increаse your knowlеdge
just keep ѵiѕіting this web page and be updateԁ with the
latest news update postеd here.
My site :: taxi coppell
My webpage - irving taxi
As already revealed, snoring loudly is a problem that has an effect on a great number of men and women. It influences the snorer as well as their loved ones in the same home. [url=http://www.ss12w12ws.info]Philan4335d[/url]
Post a Comment