[development] password generation/sending

[development] password generation/sending
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 General Computer Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
[development] password generation/sending renaudh 02-17-2007
Posted by on February 17, 2007, 2:11 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Hello;
I need to automaatically generate and reset passwords for users
(that's a requirement), but I do not know how to send it to them , as
it should be encrypted on the network .

I think email is not secured, as not all users will have encryption on
their Email client (hotmail...).
Any idea how to do that ?

Renaud


Posted by Walter Roberson on February 17, 2007, 10:49 am
If you were  Registered and logged in, you could reply and use other advanced thread options

>I need to automaatically generate and reset passwords for users
>(that's a requirement), but I do not know how to send it to them , as
>it should be encrypted on the network .
>
>I think email is not secured, as not all users will have encryption on
>their Email client (hotmail...).
>Any idea how to do that ?

Your requirements are internally incompatible. There is *no*
secure way in which to transmit plain-text passwords over an insecure
network. (This is sometimes called "the key distribution problem".)

Posted by on February 18, 2007, 9:55 am
If you were  Registered and logged in, you could reply and use other advanced thread options
On 17 f=E9v, 16:49, rober...@hushmail.com (Walter Roberson) wrote:
>
> >I need to automaatically generate and reset passwords for users
> >(that's a requirement), but I do not know how to send it to them , as
> >it should be encrypted on the network .
>
> >I think email is not secured, as not all users will have encryption on
> >their Email client (hotmail...).
> >Any idea how to do that ?
>
> Your requirements are internally incompatible. There is *no*
> secure way in which to transmit plain-text passwords over an insecure
> network. (This is sometimes called "the key distribution problem".)

You are right .
I might use the following approach:

When user is created, an Email will be sent to him
Email will contain a link to a https web page (link will only last 24
hours)
On the web page, he will be prompted to answer a secret question (he
chose the question + answer when creating his account)
If successfull, the page will display the generated password ( he will
have to change it at his first login).

Same procedure if he wants to reset his password.

The only problem I can see is Phishing using a web page that would
look like my web page.

Any comment is welcome :)


Posted by Walter Roberson on February 18, 2007, 1:26 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

>I might use the following approach:

>When user is created, an Email will be sent to him
>Email will contain a link to a https web page (link will only last 24
>hours)
>On the web page, he will be prompted to answer a secret question (he
>chose the question + answer when creating his account)
>If successfull, the page will display the generated password ( he will
>have to change it at his first login).

>Same procedure if he wants to reset his password.

If person X has not yet created an account but is authorized to
have one, then what safeguards exist to prevent person Y from
creating an account in person X's name?

Is all of this happening in an internal network, or over a public
network? If intended as an internal network, recall that email has
a tendancy to get read outside of the internal network, by forwarding
or VPNs or proxies or "webmail" pages. If intended as an internal
network, what degree of trust is there of the users?

Is there a list of authorized users? If not, then how will you prevent
joke accounts or multiple accounts per user?


>The only problem I can see is Phishing using a web page that would
>look like my web page.

Worries about phishing tend to suggest to me that you are planning
to do this over public networks.

Similar ThreadsPosted
Computer Forensics Career Development in PA November 16, 2007, 6:52 am
NCipher HSM { HardWare Security Module} Development SEE CodeSafe SSL November 10, 2004, 1:40 pm
Password protecting? May 12, 2005, 10:37 pm
Password question May 18, 2005, 1:15 pm
Password Generator October 7, 2005, 7:23 am
Password Prompt? March 9, 2007, 7:25 pm
telnet password problem June 26, 2004, 10:46 am
SMC Router Password lost April 16, 2005, 6:04 am
Phishing for Godaddy Password. May 5, 2005, 10:16 pm
How to decode Yahoo password? July 17, 2005, 9:59 pm

The site map in XML format XML site map

Contact Us | Privacy Policy