Question

If you forget your password for a website and you click [Forgot my password], sometimes the company sends you a new password by email but sometimes it sends you your old password by email. Compare these two cases in terms of vulnerability of the website owner.

Answer 1

Comparison between the two cases in terms of vulnerability of the website owner, when the company sends either a new password or the old password of the customer by email to his/her email address, when he/she has forgotten the password for the company's website and has clicked "Forgot my password" button or link:

Both methods are secure and yet are not completely secure. However, the better one, in this case, for the users would be to receive a new password by email. Both methods are vulnerable in their own ways and extent. However, in both cases, the user most likely would have to his/her email account to access either of the passwords.

* The company sending their customer or user his/her original old password for their website by email sent to his/her email address, in the case of the user forgetting his/her original password:
This method is less secure, as the best practice in Computer, Information, Cyber, or Internet Security, one should not and also avoid using his/her old password for more than 90 days. Since, the old password itself would be sent by email in "cleartext", in case, user's email account web or the mobile version application is not secure with SSL and/or encryption, there are chances attackers can get hold of the email with the password mentioned in while the actual user is viewing the same.

Also, when the website administrator or their website application, system or server is sending the user's old password by email, before it reaches the user, there are a number of hops, routers, cable lines, etc to go through, and any one or more of these could be vulnerable or not secure and be attacked by hackers either tapping the cable lines, wireless communications, or monitoring the network, user's machine, his/her email account, through shoulder surfing, remotely accessing user's machine by the attackers or simply the password being visible accidentally to a, say, Support agent providing technical support to the user's machine and seeing the user open the email and view the password or the Support agent himself opening the email and seeing the password.

In case, an attacker has already had access to the user's machine hacking it, or simply has a malware or software installed on the user's machine to monitor, view, gather, and capture what the user is doing and send it to a remote machine (hacker's), the hacker would also be able to to see the customer's password in plaintext or even the system generated one, for that matter!

* The company sending their customer or user a new password for their website by email sent to his/her email address, in the case of the user forgetting his/her original password:

Always, changing one's password is always better. The more frequent one changes his/her password, the secure his/her account, system, machine, applications would be. Especially, where a new password is a system generated one, which would have been generated following the password generation guidelines, length, strength, and security of the password, the account or system of the user would be safe and protected, and very less likely to be guessed or brute-forced using a software on the attacker or a hacker's end.

All the above scenarios, vulnerabilities, and issues are same for "new password" case as well. Even, the new password (mostly system generated one) by the website owner will also be not secure, if it is been shoulder surfed, monitored, viewed, and captured by a malicious (spyware) software on the user's machine, cable or network tapped by the hacker while the password email is in transit, etc.

Hence, as the best practice in terms of Internet Security, the solution would be to reset, change the password to a new one, the website owner should authenticate the user and his/her request for his/her security. The website owner should send an OTP (One Time Password) to the user's email address, when he/she clicks "Forgot password", the same is then typed in on the OTP field of the login page of the website. This is the password assistance process.

Also, the user should not not share this OTP with anyone, as the user's account security is considered very seriously. The website owner's Customer Service should and would never ask the user to disclose or verify his/her website account password, OTP, credit card, or banking account number. In case, the user receives a suspicious email with a link to update his/her account information, he/she should not click on the link— instead, he/she report the email to the website owner for investigation.

When the user receives, gathers, and types in the OTP in the field and submitted, it goes through fine, authenticated, as the next step, he or she is supposed to type in his/her new password or passphrase and type it again to confirm the same.

Password generation guidelines should be:

The password should be at least 8 characters and a combination of numbers and letters would be the best.
He/she should not use the same password he/she has used with the website owner earlier.
He/she should not use any dictionary words, his/her name, e-mail address, mobile phone number, date of birth, or other personal information easily obtained or guessed by others.
He/she should not use the same password for his/her multiple online accounts.

Either be the case, the user should be given the link and fileds to change the password, so one and nothing sees his/her password and it is sent, processed, and stored in an encrypted way securely.