Forum OpenACS Q&A: Re: Interesting article on web based password protection
Consider this example: a hacker breaks into someone's computer and has full access to the victim's PC. The hacker sees that the user has an online banking account. So he logs in to the banking site, clicks on the "Forgot My Password" link and waits for an e-mail. As soon as the mail containing the password comes in, he deletes the mail and logs in to the site. The user never knows that the password was compromised.Now if the hacker in paragraph one has broken into someone's computer and has full access to the victim's PC, why is the scheme proposed in paragraph two any more secure? The hacker will just chase the link, select a new password, then delete the e-mail. The victim will eventually try to log in and realize they can't, but by then the bank account is presumably empty.
The best way to deal with lost passwords is to reset the password and e-mail the user a secure link back to your Web site. In the e-mail you should clearly state that a password reset was initiated and from which IP address it was initiated. Once they click on the link and have connected back to your Web site, they can select a new password for their account.
I think it's also clear that if the hacker has full access to the victim's PC there's no security available anyway.