12

OWASP's Secure Coding Practices Checklist mentions

Only send non-temporary passwords over an encrypted connection or as encrypted data

I can understand why permanent passwords are sent encrypted, but I cannot grasp my mind around why temporary passwords shouldn't be encrypted.

Improve this question
1
  • 22
    I think the confusion is that there are two ways to interpret the word only in 'only send non-temporary passwords over an encrypted connection'. This could mean that you should send only send non temporary passwords, and not other types of passwords, over an encrypted connection. Or, it could mean that non-temporary passwords should only be sent over an encrypted connection, and not any other type of connection. In this case, I believe the writer intended the latter. Commented Mar 22, 2025 at 17:13

2 Answers 2

Reset to default
43

The recommendation is poorly phrased. To be more clear, it should say this:

“When you send permanent passwords, always encrypt them or use an encrypted connection.”

So the OWASP doesn't recommend against sending temporary passwords over a secure channel. This would be absurd. If you have the chance to use a secure channel, then you should. But in the case of temporary passwords, it may be acceptable to also use an insecure channel if this is the only option.

Improve this answer
1
  • 3
    Note that OP's interpretation also forbids encrypting anything that isn't a password, which ought to be a huge indication of the misunderstanding Commented Mar 25, 2025 at 16:41
8

Because there's scenarios where it's infeasible to not send temporary passwords in clear-text. Forgotten password function that sends a temporary token via SMS or e-mail is an instance of temporary password that is sent un-encrypted. OTP's via SMS is another instance.

It lowers security, but it increases usability. Security is almost always a balance between those two.

Improve this answer
7
  • 8
    I'm fairly sure this is a misreading of the recommendation (which is poorly phrased). It would be absurd to recommend against sending temporary passwords over secure channels. What the OWASP means is: When you're dealing with permanent passwords, always use a secure channel. For temporary passwords, there's no explicit requirement. Commented Mar 23, 2025 at 0:23
  • 6
    The OP literally asked why temporary passwords shouldn't be encrypted, because that's how they understood the OWASP recommendation. This is a misreading of the quote. In reality, the recommendation doesn't talk about temporary passwords at all, so if you argue for or against sending them over an insecure channel based on the quote, this makes no sense. Nothing related to temporary passwords follows from the OWASP recommendation. Commented Mar 23, 2025 at 7:26
  • 5
    Yes - and my answer is that in some cases it's infeasible to encrypt, thus the standard makes no such requirement? You're reading something I have not written. Commented Mar 23, 2025 at 7:28
  • 7
    You keep answering a question nobody asked. The OP wants to know (based on a misunderstanding): Why does the OWASP say that temporary passwords shouldn't be encrypted? That's their question. The correct answer would be: The OWASP doesn't say this. They say nothing about temporary passwords at all. Instead of making this clear, you explain why you think that sending temporary passwords over an insecure channel is sometimes acceptable. But this wasn't the question. Commented Mar 23, 2025 at 7:38
  • 5
    Do you not understand that the OP asked a specific question? Read the text. Then read the comment of mti2935 which explains why the question contains a false assumption. If the OP had asked “Why is the moon made of green cheese?”, then the only valid answer would be “The moon is not made of green cheese. Your question is based on a false assumption.” If your answer starts with “Because ...”, then you're not answering the question. It's cool that you want to share general advice. I may even agree with you. But it's still a poor answer with respect to the question. See the difference? Commented Mar 23, 2025 at 8:20

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.