Password Recovery
Summary:
Password recovery becomes necessary when the user of a system is no longer able to authenticate themselves because they have lost or forgotten their password. Any systems that require authentication will need to have some policy or procedure for password recovery.
The simplest policy is: “Password recovery will not be performed.” When combined with a policy that locks inactive accounts, it is also the most secure approach. Users who lose their password are required to repeat the registration process and acquire a new identity. The user will lose their previous identity and any saved information, and the cost of annoying your more careless users must be offset against any benefits in security and simplicity. If the “no recovery” policy is impossible, then there are two forms of recovery mechanism that may be implemented in some combination:
?? Communicating a secret with the user over some pre-arranged secure channel, and having them use that to re-authenticate.
?? Providing a secondary means of authentication for the purpose of recovering or resetting the first.
In a controlled environment, the second is the most popular. In a corporate environment, the user presents themselves to their manager or IT department, who verifies they are who they say they are, and resets their password. (Of course there’s also the “secure channel” of how the IT department communicates the new password to the user, but
that’s trivial once the authentication has occurred.)
In such environments, password recovery for web applications becomes part of the broader account maintenance policies for the company. Web applications for which the users of the system are customers or clients, on the other hand, require separate techniques, which will be the focus of this paper.
Format:
Pages : 8
Size: 36 kb
Author : Charles Miller
Download:
Password Recovery