Question

In: Computer Science

If you forget your password for a website and you click [Forgot my password], sometimes the...

If you forget your password for a website and you click [Forgot my password], sometimes the company sends you a new password by email but sometimes it sends you your old password by email. Compare these two cases in terms of vulnerability of the website owner.

Solutions

Expert Solution

Comparison between the two cases in terms of vulnerability of the website owner, when the company sends either a new password or the old password of the customer by email to his/her email address, when he/she has forgotten the password for the company's website and has clicked "Forgot my password" button or link:

Both methods are secure and yet are not completely secure. However, the better one, in this case, for the users would be to receive a new password by email. Both methods are vulnerable in their own ways and extent. However, in both cases, the user most likely would have to his/her email account to access either of the passwords.

* The company sending their customer or user his/her original old password for their website by email sent to his/her email address, in the case of the user forgetting his/her original password:
This method is less secure, as the best practice in Computer, Information, Cyber, or Internet Security, one should not and also avoid using his/her old password for more than 90 days. Since, the old password itself would be sent by email in "cleartext", in case, user's email account web or the mobile version application is not secure with SSL and/or encryption, there are chances attackers can get hold of the email with the password mentioned in while the actual user is viewing the same.

Also, when the website administrator or their website application, system or server is sending the user's old password by email, before it reaches the user, there are a number of hops, routers, cable lines, etc to go through, and any one or more of these could be vulnerable or not secure and be attacked by hackers either tapping the cable lines, wireless communications, or monitoring the network, user's machine, his/her email account, through shoulder surfing, remotely accessing user's machine by the attackers or simply the password being visible accidentally to a, say, Support agent providing technical support to the user's machine and seeing the user open the email and view the password or the Support agent himself opening the email and seeing the password.

In case, an attacker has already had access to the user's machine hacking it, or simply has a malware or software installed on the user's machine to monitor, view, gather, and capture what the user is doing and send it to a remote machine (hacker's), the hacker would also be able to to see the customer's password in plaintext or even the system generated one, for that matter!

* The company sending their customer or user a new password for their website by email sent to his/her email address, in the case of the user forgetting his/her original password:

Always, changing one's password is always better. The more frequent one changes his/her password, the secure his/her account, system, machine, applications would be. Especially, where a new password is a system generated one, which would have been generated following the password generation guidelines, length, strength, and security of the password, the account or system of the user would be safe and protected, and very less likely to be guessed or brute-forced using a software on the attacker or a hacker's end.

All the above scenarios, vulnerabilities, and issues are same for "new password" case as well. Even, the new password (mostly system generated one) by the website owner will also be not secure, if it is been shoulder surfed, monitored, viewed, and captured by a malicious (spyware) software on the user's machine, cable or network tapped by the hacker while the password email is in transit, etc.

Hence, as the best practice in terms of Internet Security, the solution would be to reset, change the password to a new one, the website owner should authenticate the user and his/her request for his/her security. The website owner should send an OTP (One Time Password) to the user's email address, when he/she clicks "Forgot password", the same is then typed in on the OTP field of the login page of the website. This is the password assistance process.

Also, the user should not not share this OTP with anyone, as the user's account security is considered very seriously. The website owner's Customer Service should and would never ask the user to disclose or verify his/her website account password, OTP, credit card, or banking account number. In case, the user receives a suspicious email with a link to update his/her account information, he/she should not click on the link— instead, he/she report the email to the website owner for investigation.

When the user receives, gathers, and types in the OTP in the field and submitted, it goes through fine, authenticated, as the next step, he or she is supposed to type in his/her new password or passphrase and type it again to confirm the same.

Password generation guidelines should be:

The password should be at least 8 characters and a combination of numbers and letters would be the best.
He/she should not use the same password he/she has used with the website owner earlier.
He/she should not use any dictionary words, his/her name, e-mail address, mobile phone number, date of birth, or other personal information easily obtained or guessed by others.
He/she should not use the same password for his/her multiple online accounts.

Either be the case, the user should be given the link and fileds to change the password, so one and nothing sees his/her password and it is sent, processed, and stored in an encrypted way securely.


Related Solutions

Ron forgot the password of an online service, but remembers that the password was just made...
Ron forgot the password of an online service, but remembers that the password was just made of lowercase vowels (a, e, i ,o, u), was 4 characters long and contained at least one 'a'. How many possible passwords fulfill these requisites?
Go to the website www.sec.gov and, under the Filings heading, click on “Filings” and then click...
Go to the website www.sec.gov and, under the Filings heading, click on “Filings” and then click on “Company Filing Search.” Enter the name of a well-known company such as Facebook. A list of available documents should be shown for that company. Required Using these available documents, answer the following questions: 1. Has the company filed an 8–K during the most recent time period? If so, open that document and determine the reason that the form was filed with the SEC....
Do not forget that your initial thread in reply to my post must be submitted with...
Do not forget that your initial thread in reply to my post must be submitted with a minimum of 150 words;If applicable, please cite your references in APA format. Part A: As we all know, there are only 24 hours in a day. Planning and implementing a time-management strategy is critical to academic and professional success. Discuss ways you can manage your time more effectively paying special attention to your daily routine. Part B: Career planning is an ongoing process...
Don't forget that your reply to my post must be at least 150 words; and when...
Don't forget that your reply to my post must be at least 150 words; and when replying to your classmates, your minimum word count is 50 words. Business Ethics Note: This week's Discussion Board operates a bit different . . . . First, read The Case Against Corporate Social Responsibility.doc in this week's Required Resource folder. Then note what follows below before attempting to post. The author argues that managers who sacrifice profit for the common good are in effect...
When you click on Amazon, Google +, iTunes, Tumbler, or virtually any other website - they...
When you click on Amazon, Google +, iTunes, Tumbler, or virtually any other website - they will insist that you click an agreement which contains an indemnification clause before you can use their service. Kirah clicks on the Google + agreement (terms of service) and begins a google hang-out chat room. One of her new cyberfriends begins to real-life stalk her and eventually kills her as she walks to her car from work. Can Kirah's family sue Google +, or...
A certain website wants you to build a 6-character password from the letters a through i,...
A certain website wants you to build a 6-character password from the letters a through i, the numbers 0 − 9, or the symbols @, #, or &. Clearly, the order of the characters in the password matters (a) How many passwords are there in total? (b) How many passwords are there that consist of distinct characters? (c) How many passwords have the first two characters be letters, the middle two character be one of the symbols and the last...
Visit the Healthy People 2020 website Click “Topics & Objectives” Click “Substance Abuse” 9. Fill-in-the-blank: List...
Visit the Healthy People 2020 website Click “Topics & Objectives” Click “Substance Abuse” 9. Fill-in-the-blank: List 5 of the major impacts substance abuse has on individuals, families, and communities. 10. Fill-in-the-blank: What are the 2 factors listed that are believed to have let to the increase in prescription pain relievers abuse? a. b. Click “Objectives” and answer the following fill-in-the-blank questions. 11. Select a topic area: a. 12. Select a measurable objective that falls under that topic: a. 13. What...
A website has the following policy for creating a password: • Passwords must be exactly 8...
A website has the following policy for creating a password: • Passwords must be exactly 8 characters in length. • Passwords must include at least one letter (a-z, A-Z) or supported special character (@, #, $ only). All letters are case-sensitive. • Passwords must include at least one number (0-9). • Passwords cannot contain spaces or unsupported special characters According to this policy, how many possible passwords are available? (Round to the nearest trillion)
You will be expected to complete a website of your choice. This website must incorporate a...
You will be expected to complete a website of your choice. This website must incorporate a PHP component, in this case, a form that we will be working on in class. When in doubt, carry out research to see what you could add. There are videos in the required resources section to assist anyone who is not familiar with building a website. Be sure to consult your instructor if additional support is needed. The first task is to have your...
You will be expected to complete a website of your choice. This website must incorporate a...
You will be expected to complete a website of your choice. This website must incorporate a PHP component, in this case, a form that we will be working on in class. When in doubt, carry out research to see what you could add. There are videos in the required resources section to assist anyone who is not familiar with building a website. Be sure to consult your instructor if additional support is needed. The first task is to have your...
ADVERTISEMENT
ADVERTISEMENT
ADVERTISEMENT