Re: [cpx] Wishlist: forgotten password

[Rae French <rfrench@xxxxxxxxxxx>]

At 06:06 PM 4/22/2005, Scott Wiersdorf wrote:
> I still don't see how the end user could receive the new password
> securely. I can't be mailed to their CPX account (since they need the
> password to login). I'm open to any other ideas you might have on
> this. You can do the "what is the name of your pet?" style of
> authentication, but that's essentially another (much, much, weaker)
> form of authentication and has to be stored also somewhere on the
> server.

Actually, because CPX is used for more than just mail and the mail is POP3, 
in most cases users are getting their email through their email client 
instead of reading it on the Webmail. Their email client holds the password 
(although it is ***** and is unable to read) but they can still get email. 
A new password could be sent to them and they could receive it.

I have a number of programs running that will handle the forgotten password 
in a number of different ways. For instance, one program will regenerate a 
password and send it to them. Another makes them authenticate with a 
passcode before sending them the password.

I do understand the concern for security and am aware that basic 
authentication doesn't provide for a password to be sent. However, there 
should be a way to do this without jeopardizing security. I know that my 
time is better spent without having to reset passwords for people who don't 
write things down. I'll give this some more thought to see if I can come up 
with a suggestion or two.

Keep up the good work, guys.

Best wishes,
Rae 

======================================================================
This is <cpx@xxxxxxxxxxxxx>      <http://www.groupmail.org/lists/cpx/>
Before posting a question, please search the archives (see above URL).