Password notification e-mail
Encyclopedia
Password notification email is a common password recovery technique used by website
Website
A website, also written as Web site, web site, or simply site, is a collection of related web pages containing images, videos or other digital assets. A website is hosted on at least one web server, accessible via a network such as the Internet or a private local area network through an Internet...

s. If a user forgets their password
Password
A password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource . The password should be kept secret from those not allowed access....

 then a password notification email
Email
Electronic mail, commonly known as email or e-mail, is a method of exchanging digital messages from an author to one or more recipients. Modern email operates across the Internet or other computer networks. Some early email systems required that the author and the recipient both be online at the...

 is sent containing enough information for the user to access their account again. This method of password retrieval relies on the assumption that only the legitimate owner of the account has access to the inbox for that particular email address.

The process is often initiated by the user clicking on a forgotten password link on the website where, after entering their username or email address, the password notification email would be automatically sent to the inbox of the account holder. Some websites, such as Dating Direct, allow the user to choose to include the password in every email sent from the website. This has the problem that all of the emails received must be treated with the same security as a password notification email.

The email sent could contain a new, temporary password for the account or a URL
Uniform Resource Locator
In computing, a uniform resource locator or universal resource locator is a specific character string that constitutes a reference to an Internet resource....

 that can be followed to enter a new password for that account. The new password or the URL often contain a randomly generated string
String (computer science)
In formal languages, which are used in mathematical logic and theoretical computer science, a string is a finite sequence of symbols that are chosen from a set or alphabet....

 of text that can only be obtained by reading that particular email. This is a very common technique used by websites such as Gmail
Gmail
Gmail is a free, advertising-supported email service provided by Google. Users may access Gmail as secure webmail, as well via POP3 or IMAP protocols. Gmail was launched as an invitation-only beta release on April 1, 2004 and it became available to the general public on February 7, 2007, though...

.

Another method used is to send all or part of the original password in the email. Sending only a few characters of the password, a method employed by Friends Reunited
Friends Reunited
Friends Reunited is a portfolio of social networking websites based upon the themes of reunion with research , and job-hunting...

, can help the user to remember their original password, without having to reveal the whole password to them.

Security problems

The main issue is that the contents of the password notification email can be easily discovered by anyone with access to the inbox of the account owner. This could be as a result of shoulder surfing
Shoulder surfing (computer security)
In computer security, shoulder surfing refers to using direct observation techniques, such as looking over someone's shoulder, to get information...

 or if the inbox itself is not password protected. The contents could then be used to compromise the security of the account. The user would therefore have the responsibility of either securely deleting the email or ensuring that its contents are not revealed to anyone else. A partial solution to this problem, employed by websites such as Google Accounts, is to cause any links contained within the email to expire after a period of time, making the emailuseless if it is not used quickly after it is sent.

One problem with sending the original password in the email is that the password contained within could be used to access other accounts used by the user, if that user had chosen to use the same password for two or more accounts.

Emails are often not secure so, unless the email had been encrypted
Encryption
In cryptography, encryption is the process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information...

 prior to being sent, the contents could be read by anyone who eavesdrops
Eavesdropping
Eavesdropping is the act of secretly listening to the private conversation of others without their consent, as defined by Black's Law Dictionary...

on the email.
The source of this article is wikipedia, the free encyclopedia.  The text of this article is licensed under the GFDL.
 
x
OK