[thelist] changing password design

Tony Crockford tonyc at boldfish.co.uk
Fri Sep 12 04:30:00 CDT 2003

On Fri, 12 Sep 2003 10:20:06 +0100, Simon Willison <cs1spw at bath.ac.uk> 

> Chris W. Parker wrote:
>> What's a good secure design for allowing a customer to change their
>> password?
>> I've come up with two options so far:
>> 1. Take the user to a page that has a small form (three input fields).
>> First they enter their old password, then enter the new password twice,
>> submit the form and they are done.
>> 2. They click a link says something like "Send instructions on changing
>> password". The "instructions" in the email are basically a link for the
>> user to click with a unique one time use id that is meant to verify that
>> the person changing the password is actually the owner of the account.
>> Assuming the malicious person does not have access to the victims email
>> box they would not be able to change the victim's password and thus lock
>> them out.
> I see no advantage of #2 over #1. #1 relies on a "secret" that you can 
> already assume is secure - their current paszsword. If someone else has 
> this already then the user's security is already compromised. #2 relies 
> on something that may be insecure - their inbox. As a simple example, 
> they could leave their PC on when they go to lunch thus giving an 
> opportunity for a co-worker to request the instructions to the victim's 
> inbox, change their password and delete the email before they get back.
> I would definitely go with #1.

unless the reason they need a new password is they have forgotton their 
old one.

usual approach to this is to store another secret (or two) such as pet's 
name, mothers maiden name etc which they are required to enter to get a 
new password; even a user generated question and answer pair if needed - 
what's my favorite food - brussel sprouts

I like the combination of 1 and 2 with the "extra" secrets option.

a form to check who you are (old password or extra secrets) which sends an 
email with a link to a new password generator page which checks again on 
other secrets before allowing you to set a new password.

This confirms that the email address you are using is valid and that you 
know at least two secrets about yourself.




Sent with M2, Opera's revolutionary e-mail client:

More information about the thelist mailing list