Skip to main content
Information Security

Return to Answer

replaced https://tools.ietf.org/html/rfc with https://www.rfc-editor.org/rfc/rfc
Source Link
Community Bot
Community Bot
  • 1

Your concern

When resetting a password it is a common practice to send a token to the user. The token being a long random string. You do not necessarily need the email address in the reset-URL.

You could call the reset URL with this token and reset the password for the account to which the token belongs.

But see this: If you are using a "6 digit token", these are only 1 mio possibilities. Then an attacker could try all values and this way he would be able to reset several passwords. And if the response is, "your password for [email protected] has been reset", then the attacker would get several accounts with freshly resetted passwords.

Without ANY NEED to intercept any email.

basically for transactions

You may also take a look at the defaults, TOTP (RFC6238RFC6238) and maybe OCRA (RFC6287RFC6287).

OCRA also lets you generate the OTP value based on transaction data - like the money to be sent.

Your concern

When resetting a password it is a common practice to send a token to the user. The token being a long random string. You do not necessarily need the email address in the reset-URL.

You could call the reset URL with this token and reset the password for the account to which the token belongs.

But see this: If you are using a "6 digit token", these are only 1 mio possibilities. Then an attacker could try all values and this way he would be able to reset several passwords. And if the response is, "your password for [email protected] has been reset", then the attacker would get several accounts with freshly resetted passwords.

Without ANY NEED to intercept any email.

basically for transactions

You may also take a look at the defaults, TOTP (RFC6238) and maybe OCRA (RFC6287).

OCRA also lets you generate the OTP value based on transaction data - like the money to be sent.

Your concern

When resetting a password it is a common practice to send a token to the user. The token being a long random string. You do not necessarily need the email address in the reset-URL.

You could call the reset URL with this token and reset the password for the account to which the token belongs.

But see this: If you are using a "6 digit token", these are only 1 mio possibilities. Then an attacker could try all values and this way he would be able to reset several passwords. And if the response is, "your password for [email protected] has been reset", then the attacker would get several accounts with freshly resetted passwords.

Without ANY NEED to intercept any email.

basically for transactions

You may also take a look at the defaults, TOTP (RFC6238) and maybe OCRA (RFC6287).

OCRA also lets you generate the OTP value based on transaction data - like the money to be sent.

Source Link
cornelinux
cornelinux
  • 2.1k
  • 10
  • 11

Your concern

When resetting a password it is a common practice to send a token to the user. The token being a long random string. You do not necessarily need the email address in the reset-URL.

You could call the reset URL with this token and reset the password for the account to which the token belongs.

But see this: If you are using a "6 digit token", these are only 1 mio possibilities. Then an attacker could try all values and this way he would be able to reset several passwords. And if the response is, "your password for [email protected] has been reset", then the attacker would get several accounts with freshly resetted passwords.

Without ANY NEED to intercept any email.

basically for transactions

You may also take a look at the defaults, TOTP (RFC6238) and maybe OCRA (RFC6287).

OCRA also lets you generate the OTP value based on transaction data - like the money to be sent.