1 Reply Latest reply: May 12, 2013 8:07 PM by EJP RSS

    Plain Text Password Reset Vulnerability

      I have a general question about password reset messages.

      If I receive an email with a plain text generated password (in response to a password reset request), is this a vulnerability? The password expires after one use, in other words the user has to change their password as soon as they register.

      I could imagine that such an password reset scheme would at least be vulnerable to a man in the middle attack. The man in the middle could get the temp password and then lock out the user with a new password. But is there perhaps another vulnerability?