September 29th, 2004 11:31 PM
Transmitting Account Information via Email
Not sure if this is the right place to put this, but I hope so, because I really am looking for some clarification on this issue. Lots of questions... here goes... I am curious about what practices would be considered acceptable or unacceptable related to transmitting account information to user's email addresses.
Is it inappropriate to email a customer their password to their registered email address in an unencrypted format?
What is the real potential for someone to intercept an email containing relatively sensitive information like this?
Is there really any totally secure way to handle such a situation where a user forgets their password?
If anyone has some web sites that offer best practices related to this kind of thing, please post them.
September 29th, 2004 11:38 PM
It's definately not 100% secure to send the username and password through email, it's not really secure at all simply because it is plain text.... (unless they're running some sort of encryption... but how many users that lose their password use encryption... or know what it is)...
I can tell you how we handle passwords at our service desk...
There's an online forgot your password mechanism... students must know their student number and either their Password for our other site, their SIN (Social Insurance Number), or their date of birth (depending on the courses enrolled in) to obtain their password.. Then it's displayed on screen... (all done over HTTPS).. Our other site, takes your last name and either your Student Number or SIN and emails a new temp password to your college email account. So you always need one account details to get the other... If you lose both.. we come into play.. You call us and give us your student number... we verify your identity with two pieces of information (postal code, middle name, email address on record).. and give it to you... In person you can walk in with your student card... or student number and photo id and we'll give it to you... and by email you can email us the required information and you'll also recieve the information you require.... We try to verify... even if it isn't the best method... before we hand out the persons information....
Is what we do secure? Not entirely... but for the most part it keeps the users information fairly safe.
IT Blog: .:Computer Defense:.
(Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".
September 30th, 2004 01:05 AM
When I was subbing for M$, number one rule was NEVER EVER email a customers password to them. Get on the phone, call and verify the customers ID and then give it to them. No exceptions.
It isn't paranoia when you KNOW they're out to get you...
September 30th, 2004 02:50 AM
The most common way you will see today in terms of automated system will do the following:
- User visits a special "I forgot my password" page and enters their account name (and/or email address).
- They are then forwarded to another page that asks two challenge questions. These are entered by the user at registration time.
- If they complete the challenge questions, the password is set to something new and random. This new password is temporarily stored in a special table in the site's database, associated with a particular randomly-generated key code.
- The user is emailed a secure link (HTTPS) that references the key code and displays the person their randomly generated password. They can then use this password to log in and then immediately change it.
- Upon first login with this new temporary password, it deletes the entry in the temporary key-code table.
This is a decently secure way of doing it that is automated. In some ways, it may be more secure than speaking with someone on the phone.
The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
\"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
Is your whole family retarded, or did they just catch it from you?
September 30th, 2004 02:56 AM
Passwords are like credit card #'s. They should never be sent to the customers or displayed on a web page. It is simpler to have the user pass the authentication questions and then simply set the password to a new value themselves. If they cannot remember the answers to their own challenge questions then they should be sent to someone in customer service that can authenticate them over the phone and aid the user in re-setting their password.
"When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
"There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
"Mischief my ass, you are an unethical moron." - chsh
Blog of X
September 30th, 2004 06:25 PM
Just wanted to thank everyone for their feedback. Very helpful and much appreciated!