[thelist] changing password design
Chris W. Parker
cparker at swatgear.com
Thu Sep 11 18:46:44 CDT 2003
Hi.
What's a good secure design for allowing a customer to change their
password?
I've come up with two options so far:
1. Take the user to a page that has a small form (three input fields).
First they enter their old password, then enter the new password twice,
submit the form and they are done.
2. They click a link says something like "Send instructions on changing
password". The "instructions" in the email are basically a link for the
user to click with a unique one time use id that is meant to verify that
the person changing the password is actually the owner of the account.
Assuming the malicious person does not have access to the victims email
box they would not be able to change the victim's password and thus lock
them out.
What are some other methods I'm not thinking of?
I'm going to assume that #2 would be more desirable from a security
standpoint, but I'm concerned that it may be overkill?
Thanks,
Chris.
More information about the thelist
mailing list