[WEB SECURITY] First time login and password resets...

McKean, John john.mckean at state.or.us
Mon Jan 31 12:15:36 EST 2011

While our solution is not perfect it is a balance between security and getting business done. When our users request a password reset we leave a one-time password in their voicemail. Of course if someone compromises a users voice mail they can easily get a password for their account so it is not perfect!

John R. McKean II, CISSP(r)
Sr. Information Security Analyst

From: websecurity-bounces at lists.webappsec.org [mailto:websecurity-bounces at lists.webappsec.org] On Behalf Of Milton Smith
Sent: Monday, January 31, 2011 8:00 AM
To: websecurity at lists.webappsec.org
Subject: [WEB SECURITY] First time login and password resets...


Wondering what everyone does to communicate first time credentials or password resets to users.  There are two challenges.

  1.  Ensure person we communicate credentials to is the correct person (e.g., owner of credentials)
  2.  Do not disclose credentials in plain text over network
To a certain extent the computer has not helped us with these challenges.  Simply reverting to phone does not solve these challenges either.  For example, calling a user with their new credentials is similar to mailing the credentials in the clear.  It's likely IT staff does not know the person on the other end of line and phone conversations can be intercepted.

The solution I have been considering is to email an HTTPS link to users.  Next, mandatory password reset at logon.  This prevents sniffing credentials over net.  Of course, you can sniff the URL then login.  However, if this is done it will be obvious to the user since they will not be able to logon with the password they were sent.  A bit after the fact I realize but perhaps better than nothing.  Next, what if I made the link so it's only good for 10 mins or some limited window.  This helps limit the window of opportunity.  Anyway, this solution is not perfect but perhaps better than passwords in the clear or calling people we don't know.  Key fobs, other hardware solutions, or client side certs are likely out since it's a cloud based solution.

Do you have any interesting thoughts or suggestions for how you approached these challenges?

Kind Regards,
Milton Smith
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20110131/4f4ab0d6/attachment-0003.html>

More information about the websecurity mailing list