: What are the Pros and Cons for password recovery change links in email? Although a lot of sites still send your password in plain text through email, there has been a push to send a web
Although a lot of sites still send your password in plain text through email, there has been a push to send a web page url instead.
But how can that be any more secure than the password in clear text? If someone is going to intercept your email, they get your password either way. So isn't sending the url through email just an illusion of security?
More posts by @Gail5422790
2 Comments
Sorted by latest first Latest Oldest Best
If you're emailed your password and three months later someone gets access to your email, they can get into your account (unless you've changed the password, which is unlikely). If you're emailed a password reset link and three months later someone gets into your account it won't do anything, because even if you've not used it, it will have expired. It drastically reduces the time window in which an email compromise can give the attacker access to your account.
It's not about emailing plain text passwords vs. a URL, it's about storing passwords in plain text vs. hashing them. Storing passwords in plain text is not considered secure because if the site (or server, or database...) is exploited, the hacker has access to the user's account on that site along with any other site on which they use the same username and password. A correctly hashed (and salted) password does not have this vulnerability.
A site that is storing passwords securely can't email you your password, because it doesn't know what your password is. That's why a non-guessable URL that allows you to reset your password is sent instead.
If the system you're securing is sensitive enough that you want to protect users from having their email hacked, consider using two factor authentication for an added layer of security.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.