You have forgotten your password, so you click on the “forgot my password” link

Question

You have forgotten your password, so you click on the “forgot my password” link to have a new one sent to you by email. Among the approaches a site can take, sometimes, the site tell you what your password was; other times, it send you a new (usually temporary) password.

What are the privacy and security implications of each approach? Be sure to include in your answer the implications both for the data at rest (on the remote server and on your provider’s email server) and in transit (while the email is being sent over the network/internet).

**An important test-taking strategy here is to make sure that you identify all the parts of the question that are being asked. This question is asking you to think about two approaches, each at rest and in transit. Therefore, you should identify each of the following things to fully answer this question:

Privacy and security implications for approach 1 (data at rest)

Privacy and security implications for approach 1 (data in transit)

Privacy and security implications for approach 2 (data at rest)

Privacy and security implications for approach 2 (data in transit)

Explanation / Answer

Approach 1:- Password is sent by email

Privacy and security implications for approach 1 (data at rest)

Privacy = Good Approach as the Forgotten Password will be sent to the registered email id of the user who has requested for Forgot Password. In this case only the registered email ID will receive the desired Password and nobody else. Thus we can be assured that the recipient will always get his/her password mailed to the correct email ID and no one will get to know about this.

Security Implications - The Password will be sent in secured and secretly to the desired recipient who has requested thus maintaining the annonymity of the user.

Privacy and security implications for approach 1 (data in transit)

Privacy - Can be subjected to various attacks by the undesired and hence the contents of the mail can be read by the attacker and this may lead to the disclosure of the password without the consent of the user.

Security Implications - Breach/Disclosure of passwords which could lead to the attacker resetting the password from his end and this can prevent the desired/requested user to be invalidated since the password is already being set.  

Approach 2:- Site tell us what the Password was

Privacy and security implications for approach 2 (data at rest)

Privacy - Privacy can be compromised if the secured password is displayed on the reciepient's screen and someone standing back secretly notices it

Security Implications - The undesired can get to know the password very easily by watching the password appear on the screen and this can lead to revealation of the password of the user.

Privacy and security implications for approach 2 (data in transit)

Privacy - Maintained as the password will be displayed only at the screen of the user. In this case the data(ie. password) travels from the stored location and is displayed on the screen of the user only, who has requested for "Forgot Password". Thus privacy is maintained as only the desired gets to view his/her own password.

Security Implications - In this case the password will be secured and protected since its not geing sent to any other external links as its only being displayed on the screen of the requested user. Thus the password is only transmitted from the stored Database to the user screen and not to any foreign links (ie. Email ID of the user).

Please let me know in case of any clarifications required. Thanks!

Related Questions

Navigate

• Browse (All)
• Browse Y
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.