View Full Version : Is this secure

03-09-2007, 12:41 AM
Alot of web sites offer the chance to reset your password. If you've forgotten your password you can say you've forgotten your password. Then the site usually does one of the following:

Send the password via email
Reset the password and send the reset password via email

Can emails not be sniffed for text such as the text of the password in the email. How can you encrypt the email? Is there anything you can do?

03-09-2007, 12:47 AM
What I would do is give them a temporary link that allows them to reset their password. They would have to use the site's interface to reset it rather than have it in an email. Secret questions are often good ways to make sure its that person changing their password.

03-09-2007, 01:00 AM
yes good idea maybe a link with a hashed get query string such as


I wonder if it would be a good idea including a timeout to stop the reset being valid after a certain time period.

I guess when they click the link they get directed to a page thats asks their secret question then if correct reset the password otherwise? - Destroy them!!