Password retrieval system

Password retrieval system
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 General Computer Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Password retrieval system enjoywithneha 08-02-2006
Posted by on August 2, 2006, 3:08 am
If you were  Registered and logged in, you could reply and use other advanced thread options
I wish to setup an automatic password recovery system on my website,
like the one most of the sites have nowadays. You need to enter your
mail-id as provided earlier or answer the secret question. Can anyone
plz help me to understand exactly how it works and what are the
possible security threats involved?


Posted by Doug McIntyre on August 2, 2006, 9:00 am
If you were  Registered and logged in, you could reply and use other advanced thread options
enjoywithneha@yahoo.com writes:
>I wish to setup an automatic password recovery system on my website,
>like the one most of the sites have nowadays. You need to enter your
>mail-id as provided earlier or answer the secret question. Can anyone
>plz help me to understand exactly how it works and what are the
>possible security threats involved?

The code gets the data out of the database and sends an email, or
verifies the response?

Security threats are that your info is probably in the database in the
clear, or at best, in some recoverable to clear-text format.



Posted by Unruh on August 2, 2006, 6:26 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
enjoywithneha@yahoo.com writes:

>I wish to setup an automatic password recovery system on my website,
>like the one most of the sites have nowadays. You need to enter your
>mail-id as provided earlier or answer the secret question. Can anyone
>plz help me to understand exactly how it works and what are the
>possible security threats involved?

The problem is that you need to keep a database of cleartext passwords on
your system. This makes it an ideal hacker target, since people often reuse
their passwords. Thus by grabbing your database, they will have a huge list
of people, their email addresses and their passwords probably to other
systems.
Passwords should always be one way, so that the customer can change their
password with appropriate permission from your system, but cannot be told
their password.

Posted by kneofyte on August 3, 2006, 2:16 am
If you were  Registered and logged in, you could reply and use other advanced thread options
enjoywithneha@yahoo.com wrote:
> I wish to setup an automatic password recovery system on my website,
> like the one most of the sites have nowadays. You need to enter your
> mail-id as provided earlier or answer the secret question. Can anyone
> plz help me to understand exactly how it works and what are the
> possible security threats involved?
>
Never mail the original password to an email-id. The original password
should be stored as secured one way hashes, preferably atleast SHA-256
in your database/file. If a user has lost his/her password, make them
answer some question before mailing a random one-time password to their
email accounts.

-Neo

Similar ThreadsPosted
Please help with buying a UPS for my system October 14, 2005, 2:01 pm
Password protecting? May 12, 2005, 10:37 pm
Password question May 18, 2005, 1:15 pm
Password Generator October 7, 2005, 7:23 am
Password Prompt? March 9, 2007, 7:25 pm
Vulnerabilities Management System June 11, 2004, 4:50 am
NTFS - System files... January 4, 2005, 2:21 pm
Bad System Architecture, Accountability June 14, 2005, 8:14 am
Advice pls on what is happening on my system December 9, 2005, 5:14 am
Re: Advice pls on what is happening on my system December 9, 2005, 6:53 am

The site map in XML format XML site map

Contact Us | Privacy Policy