[WEB SECURITY] First time login and password resets...

Milton Smith bull7 at mac.com
Mon Jan 31 11:00:03 EST 2011


Hello,

Wondering what everyone does to communicate first time credentials or password resets to users.  There are two challenges.

Ensure person we communicate credentials to is the correct person (e.g., owner of credentials)
Do not disclose credentials in plain text over network
To a certain extent the computer has not helped us with these challenges.  Simply reverting to phone does not solve these challenges either.  For example, calling a user with their new credentials is similar to mailing the credentials in the clear.  It's likely IT staff does not know the person on the other end of line and phone conversations can be intercepted.

The solution I have been considering is to email an HTTPS link to users.  Next, mandatory password reset at logon.  This prevents sniffing credentials over net.  Of course, you can sniff the URL then login.  However, if this is done it will be obvious to the user since they will not be able to logon with the password they were sent.  A bit after the fact I realize but perhaps better than nothing.  Next, what if I made the link so it's only good for 10 mins or some limited window.  This helps limit the window of opportunity.  Anyway, this solution is not perfect but perhaps better than passwords in the clear or calling people we don't know.  Key fobs, other hardware solutions, or client side certs are likely out since it's a cloud based solution.

Do you have any interesting thoughts or suggestions for how you approached these challenges?

Kind Regards,
Milton Smith
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20110131/0928ec82/attachment-0003.html>


More information about the websecurity mailing list