...

View Full Version : Is this secure



timgolding
03-09-2007, 12:41 AM
Alot of web sites offer the chance to reset your password. If you've forgotten your password you can say you've forgotten your password. Then the site usually does one of the following:

Send the password via email
Reset the password and send the reset password via email


Can emails not be sniffed for text such as the text of the password in the email. How can you encrypt the email? Is there anything you can do?

_Aerospace_Eng_
03-09-2007, 12:47 AM
What I would do is give them a temporary link that allows them to reset their password. They would have to use the site's interface to reset it rather than have it in an email. Secret questions are often good ways to make sure its that person changing their password.

timgolding
03-09-2007, 01:00 AM
yes good idea maybe a link with a hashed get query string such as

index.php?password_reset=32e09232d75641f6dbdf2552b3e3319b

I wonder if it would be a good idea including a timeout to stop the reset being valid after a certain time period.

I guess when they click the link they get directed to a page thats asks their secret question then if correct reset the password otherwise? - Destroy them!!



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum